Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. As a reminder, the CCPA takes effect January 1, 2020 and can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California.
As of September 13, 2019, the California legislature advanced six CCPA amendments to Governor Newsom’s desk for signature. The Governor has until October 13, 2019, to act on any or all of these amendments. The amendments clarify some exemptions to the CCPA, create some new narrow exemptions, update some operational requirements, clarify some defined terms, and create a new data broker registry. Given the magnitude of the CCPA overall, and some of its provisions that lack clarity in interpretation, the amendments are relatively limited in nature and leave a number of questions about CCPA compliance unanswered. A brief overview of highlights from the amendments follows:
Limited Employee and Personnel Exemption
For a period of 1 year (January 1, 2020-December 31, 2020), the CCPA would not apply to personal information collected in connection with an individual’s role as a current or former job applicant to, employee of, owner of, medical staff member of, or contractor of a business—solely to the extent the individual’s personal information is used and collected in the context of that role. The limited exemption also covers emergency contact information of such persons and personal information necessary to administer benefits for any other person relating to such persons. These individuals nonetheless retain their CCPA rights to be informed of the categories of personal information collected and the purposes for which the personal information is used by the business along with their right to bring a private action for a data breach.
Changes to “Personal Information”
The word “reasonably” has been added in front of “capable of being associated with” a consumer or household in the definition of “personal information.”
Any “information that is lawfully made available from federal, state, or local government records” is “publicly available” and not “personal information,” regardless of how that information is used. Previously, businesses would have been required to use that information for a purpose compatible with the purpose for which the data is maintained in order to invoke the “public information” exemption.
As amended, “personal information” does not include consumers’ information that is deidentified or aggregate consumer information. The amendments do not address or further clarify the standards for de-identifying data.
Limited B2B Information Exchange Exemption
For a period of 1 year (January 1, 2020-December 31, 2020), a number of CCPA rights would not apply to personal information collected in the context of a business-to-business relationship. This exemption does not apply to the rights to opt in / opt out from sale of one’s personal information and be protected from certain discrimination if one exercises one’s CCPA rights. To fall in this exemption, the individual must be acting as an employee, owner, director, officer, or contractor of a business, and their personal information exchanged must be in the context of a business relationship (e.g., conducting due diligence, or providing or receiving a product or service from the business).
Clarifications Bearing on Implementing the CCPA
A business would be permitted to require reasonable authentication of the individual making a request to know what personal information the business maintains about them (or other CCPA request requiring verification) to help that business review and confirm if it is a verifiable consumer request. Reasonableness would be determined based on the circumstances, i.e., nature of information requested. If a consumer maintains an account with the business, then the business could require the consumer to submit requests via that account.
Businesses that operate exclusively online and have a direct relationship with the consumer would only have to provide an email address for consumers to submit disclosure requests to the business (and not also a toll-free number).
The amendments specifically permit the California Attorney General to adopt additional regulations on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to households (which are included in the definition of personal information). There have been security and privacy concerns that members of a household will be able to seek copies of information of other individuals in a household.
The amendments clarify that the CCPA does not require a business to collect personal information that it would not otherwise collect in the ordinary course of its business or retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.
FCRA Information Exemption
The CCPA does not apply to information processing for purposes of the Fair Credit Reporting Act (FRCA), namely collecting, maintaining, disclosing, selling, communicating, or using personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency. The exemption does not impact an individual’s ability to bring a private action against a business for a data breach involving such information.
Narrow Vehicle Industry Exemption
The amendments add a narrow vehicle industry exception for the CCPA’s “do not sell” requirements. The CCPA right to opt out or opt in from sale of one’s personal information would not apply to vehicle information (e.g., VIN, make, model, year, odometer reading) or ownership information (e.g., name of registered car owner and contact information) exchanged between a car manufacturer and new car dealer if used to carry out a vehicle repair covered by warranty or recall (so long as the recipient does not sell, share or use that information for any other purpose).
New Data Broker Registration
A separate law, not part of the CCPA, passed with the CCPA amendments given it “piggybacks” on the CCPA’s definitions
to set out its requirements. The law requires “data brokers” to register with the California Attorney General. A “data broker” is a CCPA-regulated business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business has no direct relationship.” It does not include entities already regulated by the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), or California’s Insurance Information and Privacy Protection Act. Each year on or before January 31, data brokers would be required to register with the California Attorney General, pay the applicable fee and provide certain information. The law directs the Attorney General to create a publicly available online registry of all data brokers.