2019 Amendments to CCPA Provides Some 11th Hour Relief
Six bills passed late in the 2019 legislative session, and signed into law by Governor Newsom, amend and clarify the California Consumer Privacy Act in several important respects.
The California Consumer Privacy Act (CCPA) codified a set of consumer rights with respect to the privacy and security of their personal information.
Specifically, the CCPA provides that California consumers have basic rights in relation to their personal information, and requires covered businesses to uphold and preserve those rights. These rights, subject to specific definitions as to what means "personal information" as well as restrictions and controls on covered businesses to ensure these rights are honored, include the right to know what has been collected, right to delete that information, right to opt out of having that collected information sold or transfered, and the right not to be discriminated against for having exercised those rights. The CCPA also provides that consumers have the right to sue covered businesses for damages in the event of a data breach or other improper disclosure of their personal information.
The CCPA was rushed into law on June 28, 2018, in order to prevent California voters from voting directly on a data privacy referendum that was scheduled to appear on the ballot in the November 2018 general election. Compliance has since been put-off but is set to go into effect on January 1, 2020.
Many businesses are ill-prepared to handle compliance with the CCPA. "Covered businesses," include any for-profit business that collects and controls California residents’ personal information, does business in the state of California, and:
Has annual gross revenues of $25 million or more; or
Buys, receives, sells or discloses the personal information of 50,000 or more California residents, households or devices on an annual basis; or
Derives 50 percent or more of its annual revenues from selling California residents’ personal information; or
Is an affiliate of a covered businesses that share the same branding.
Given the monumental impact and lack of preparation, several changes were passed into law at the 11th hour of the 2019 legislative session to provide some businesses with relief from full-scale-compliance. Below, is a break down of the 6 bills that did just that:
AB 25 – Employment-Related Information and Verifiable Consumer Requests
Assembly Bill 25 provides a one-year exemption (until January 1, 2021) from most of the law’s requirements for information concerning a business’ employee, job applicant, director, officer or contractor, if this information relates solely to the work relationship. Emergency contact information and information required in order to administer benefit plans and programs are specifically covered by this temporary exemption.
In addition to the employment-related provisions, AB 25 clarifies that a business may require reasonable authentication or verification of a consumer’s identity in connection with a consumer request, and that a business may also require a consumer to use an existing account with the business to submit a verifiable consumer request.
AB 874 – Definition of Personal Information to Include Reasonableness
Narrows the definition of “personal information” by clarifying that personal information must “reasonably” be capable of being associated with a particular consumer or household.
AB 1146 – Exemption for Vehicle Information
Establishes a narrow exemption under which the CCPA’s opt-out and deletion rights do not apply if a business or service provider needs the personal information to fulfill the terms of a warranty or product recall that is conducted in accordance with federal vehicle safety laws.
AB 1564 – No Phone Number Required for Online Only Businesses
Amends the designated methods by which consumers can opt of data collection or request deletion of collected data to state that businesses that operate exclusively online do not have to provide a toll-free telephone number for these purposes.
AB 1202 – Registration Required for Data Brokers
Requires data brokers register annually with the California Attorney General’s Office. “Data broker” is defined broadly as any business that knowingly collects and sells personal information of consumers with whom the business does not have a direct relationship, with limited exceptions. The Attorney General will set registration fees and post information about the data brokers on its website. Failure to register will expose the data broker to civil penalties, injunctive relief, fees and costs.
Credit reporting agencies and financial institutions are explicitly exempted.
AB 1355 – Miscellaneous Provisions
This includes a number of miscellaneous clarifications and amendments:
Clarification Regarding the Nondiscrimination Provisions. Clarifies the scope of the nondiscrimination provisions by providing that differing prices or services can be offered based on the value of the data to the business. This change should make it easier for businesses to base loyalty incentives on the value of collected consumer data.
De-identified or Aggregated Information. It also clarifies that personal information does not include de-identified or aggregated consumer information.
One-Year Exemption for Certain Business-to-Business Data. Also creates a one-year exemption for personal information collected in certain business-to-business transactions. Specifically, the bill exempts personal information that reflects a communication or transaction between or among a business and the employees or contractors of another business for the purpose of conducting due diligence or providing or receiving a product or service. Importantly, the bill does not exempt businesses from the opt-out or data breach provisions, including the consumer’s right to sue for damages for an unauthorized breach.