Businesses and California consumers are one step closer to understanding what their respective obligations and rights are under the California Consumer Privacy Act of 2018 (the “CCPA”). The CCPA is California’s landmark legislation that seeks to give California consumers the rights to learn about and control certain aspects of how a business handles the personal information that a business collects about them. It achieves this by requiring businesses to implement certain measures that enable consumers to exercise these rights. For an in-depth discussion of the CCPA more generally, please read our previous posts (here and here).
Since the CCPA’s enactment in June 2018, California legislators have scrambled to clarify the law’s scope and requirements in advance of its January 1, 2020 effective date. On September 13, 2019, the last day of the California legislative session before the CCPA goes into effect, the legislature passed five amendments that will be presented to the California Governor for signature. We will continue to track and report on the status of each of these amendments and whether each has been signed into law.
Below is a high-level overview of aspects of the five bills amending the CCPA that await the Governor’s signature, two proposed amendments that were ordered to the inactive file without passage, and an additional bill awaiting the Governor’s signature that would require data brokers to register with the Attorney General of California.
The Winners: The Bills that are Advancing to the Governor for Signature
Assembly Bill 25: Employment Information
-
Generally exempts from the scope of the CCPA, until January 1, 2021, personal information collected by a business in certain limited employment-related contexts.
Assembly Bill 874: Definitions – Personal Information and Publicly Available Information
-
Narrows the definition of “personal information” by expanding the scope of the “publicly available information” exemption.
Assembly Bill 1146: Vehicle Information
-
Removed consumers’ opt-out rights where personal information is shared between a new motor vehicle dealer and the vehicle’s manufacturer for purposes of a vehicle repair covered by a warranty or recall.
Assembly Bill 1355: Drafting Errors and Clarifying Changes
-
Until January 1, 2021, exempts from many of the CCPA’s requirements personal information collected as part of certain business-to-business (B2B) transactions or communications.
-
Narrows the scope of “personal information” that is subject to CCPA requirements by excluding deidentified[1] or aggregate consumer information.[2][3]
-
Allows businesses to authenticate consumers based on what is reasonable in light of the nature of the personal information requested and allows businesses to require consumers to submit access requests through existing accounts.
-
Makes certain clarifying amendments, such as clarifying that businesses do not need to collect personal information for compliance purposes if they do not normally do so.
-
Corrects certain drafting errors.
Assembly Bill 1564: Methods for Consumers to Submit Requests for Disclosures
-
Creates an exception for certain online-only businesses to the general rule that businesses must offer at least two methods for consumers to submit requests for CCPA disclosures.
-
Such online-only businesses need only provide consumers with an email address for submitting requests for CCPA disclosures.
The Losers: The Bills That Could Have Been
Assembly Bill 846: Loyalty Programs
Assembly Bill 846 would have specified that the CCPA should not be construed as prohibiting businesses from offering customer loyalty programs, provided that they are not “unjust, unreasonable, coercive, or usurious in nature.” This bill was ordered to the inactive file, although it is possible that this bill will return in the next legislative session. The inactive file is a holding area for bills that are ready for floor consideration, and bills from the inactive file may be sent to the floor for consideration at a later time.
Assembly Bill 1281: Facial Recognition Technology Disclosure
Businesses that use facial recognition technology do not need to disclose their usage on posted signs, for now. On September 10, 2019, this bill, which would have required businesses to post such signs, was ordered to the inactive file.
Data Broker Registration Bill
On a related note, the California legislature also passed a bill governing data brokers. Assembly Bill 1202 requires data brokers to register with the Attorney General of California. Data brokers are defined in the bill as businesses that knowingly collect and sell to third parties the personal information of a consumer with which it does not have a direct relationship. The bill would incorporate the broad definition of “sale” from the CCPA, broadening the scope of the law, if enacted.
[1] Under the amendments, “deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information implements processes to prevent reidentification of, and itself does not attempt to reidentify, the information.
[2] Under the amendments, “aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.
[3] The exclusion of deidentifed or aggregate consumer information also appears in Assembly Bill 874. The determination of which of these two bills will be operative with respect to this concept will depend on the order in which the bills are enacted.