California Legislature Brings Clarity and Focus to the California Consumer Privacy Act with the Passing of Five CCPA Amendments
For months now, proposed amendments to California’s new game-changing privacy law—the California Consumer Privacy Act of 2018 (“CCPA”)—have been working their way through the California state legislature. On the last day of its 2019 legislative session, California’s lawmakers finally provided some clarity as to what the law will say when it goes into effect next year with the passing of five CCPA amendments that will be signed into law. While the amendments leave the core requirements of the CCPA largely intact, they modify almost every section of the CCPA in some form or fashion, meaning that companies that fall under the scope of the CCPA will have to take action quickly to get in compliance with the law before it goes into effect in less than four months.
On Friday, September 13, 2019, the California legislature capped its 2019 legislative session by sending five amendments to the California Consumer Privacy Act of 2018 to the California governor’s desk for signature. While none of the amendments provide any substantive modifications to the law’s core requirements, these amendments do provide important clarification of ambiguous aspects of the law, while at the same time lessening the compliance burden on covered entities to some extent through the addition of several new exemptions. In particular, the five amendments provide the following important changes and additions to the CCPA:
- Limited Employee Exemption: The amendments provide a somewhat limited exemption for employee information from the scope of the CCPA until 2021. Specifically, the amendments exempt from the law’s definition of “personal information” all information that is collected by a covered entity from job applicants, employees, business owners, directors, officers, medical staff, and contractors, as well as emergency contact information of these categories of individuals and information needed to administer HR benefits. But the exemption only applies until 2021, and the exemption does not apply to the law’s private right action provision and law’s requirement that covered businesses—at or before the point of collection of personal information—inform consumers of the categories of personal information that are collected by the business and the purposes for which that information will be used. Thus, employers will still face significant compliance burdens under the CCPA, including providing privacy notices to employees and job applicants and implementing reasonable security measures beginning in January of 2020.
- Addition of Reasonableness Standard to Definition of “Personal Information”: The amendments redefine the term “personal information” to entail information that is “reasonably capable of being associated with a particular consumer or household,” as opposed to merely being “capable of being associated with a particular consumer or household,” which will ostensibly create a more workable standard and lessen the overall compliance burden on covered entities.
- Addition of Business-to-Business ("B2B") Exemption: The amendments exclude personal information that is collected in certain business-to-business transactions. Specifically, excluded from the scope of the law is personal information conveyed between a business and a consumer when the consumer is acting as an employee, owner, director, officer, or contractor of an entity, if the communication or transaction takes place exclusively within the context of “the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.” With that said, the exemption does not extend to the CCPA’s right to opt-out or anti-discrimination provisions, and is also inapplicable if the business collects information from the consumer in a non-business context. Moreover, akin to the employee exemption, the B2B exemption has a sunset provision that will eliminate this carve-out on January 1, 2021.
- Additional Leeway to Satisfy Verifiable Consumer Request Requirement: The amendments provide an exception to the prohibition on businesses requiring a consumer to create an account with the business in order to make a verifiable consumer request by permitting a business to require authentication of the consumer that is reasonable in light of the nature of the information that is requested. In addition, the amendments also authorize businesses to require a consumer to submit a verifiable consumer request through an account that the consumer already maintains with that business (and thus does not have to create a new account to complete the verification process), which will allow businesses to utilize current account identity verification procedures to comply with the law’s consumer verification requirements.
- Clarification on Deidentified or Aggregate Consumer Information: The amendments clarify that consumer information that is deidentified or aggregate consumer information is excluded from the law’s definition of “personal information.”
- Clarification on Anti-Discrimination Provision: The amendments revise the law’s anti-discrimination provision to provide that differential treatment is permitted where such treatment is reasonably related to the value provided to the business, as opposed to the consumer, by the consumer’s data.
- Modification of Definition of “Publicly Available Information”: The amendments redefine the term “publicly available information”—which is excluded from the law’s definition of “personal information”—to mean information that is lawfully made available from federal state, or local records.
- Clarification of Scope of Private Right of Action Provision: The amendments clarify that under the CCPA’s private right of action, consumers can only pursue lawsuits for data breaches where the data at issue is both nonencrypted and nonredacted (but not when the data is either redacted or encrypted). Fortunately for covered entities, however, the proposed CCPA amendment which would have extended the private right of action to cover any violation of a consumer’s CCPA rights did not make it to the governor’s desk for signature.
- New Data Broker Registration Requirement: The amendments add a new requirement to the CCPA that requires data brokers to register with, and provide certain information to, the California attorney general.
- Modification of Requirements for Providing Methods for Consumers to Exercise CCPA Rights: The amendments add an exception to the requirement that businesses provide two methods for consumers to exercise their CCPA rights, including—at a minimum—a toll-free telephone number, which permits a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information to provide only an email address for consumers to submit requests to exercise their rights under the CCPA.
As it is anticipated that all five CCPA amendments will be signed into law by the California governor, the recently-passed amendments will go into effect January 1, 2020, the same day as the effective date of the rest of California’s new privacy law. As such, businesses that fall under the scope of the CCPA must take action now in order to make the necessary changes to their CCPA compliance programs to take into account these new amendments before the law goes into effect in less than four months. Given the limited window of time before the CCPA takes effect, covered businesses should take immediate steps to make the necessary changes to bring themselves into compliance with the CCPA by the law’s effective date. At the same time, covered entities should also remain on the lookout for any last-minute regulatory developments issued by the California attorney general that would require further tweaking of their CCPA compliance programs.
© 2019 Blank Rome LLP. All rights reserved. Please contact Blank Rome for permission to reprint. Notice: The purpose of this update is to identify select developments that may be of interest to readers. The information contained herein is abridged and summarized from various sources, the accuracy and completeness of which cannot be assured. This update should not be construed as legal advice or opinion, and is not a substitute for the advice of counsel.