Recent Activity Affecting the California Consumer Privacy Act: Amendments, Regulations, and More

October 2019

Lately, there has been a slew of updates to the California Consumer Privacy Act (the “CCPA”).  Most notably, on October 11, 2019, California Governor’s Gavin Newsom signed multiple bills into law which amend the CCPA, which was passed in June of 2018 and subsequently amended in September 2018 (as discussed here and here).  As you may know, the CCPA regulates the collection, disclosure and sale of personal information for for-profit businesses that do business in California and (a) have annual gross revenue over $25 million; (b) possess personal information of more than 50,000 California consumers or households; or (c) derive more than 50% of their revenue from selling personal information. It does not apply to nonprofit or political organizations; covered entities collecting health information pursuant to the Confidentiality of Medical Information Act or the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), consumer reporting agencies selling personal information to be used in a consumer report, financial institutions collecting or selling personal information pursuant to the  Gramm-Leach-Bliley Act (“GLBA”), or businesses collecting or selling personal information pursuant to the Driver’s Privacy Protection Act of 1994 (“DPPA”).  Most of the recent amendments to the CCPA clarify or provide exemptions to certain aspects of the CCPA.

Additionally, after much anticipation, on October 10, 2019, the California Attorney General released proposed regulations for implementing the CCPA.  Lastly, on September 24, 2019, the drafter of the 2018 ballot initiative that eventually became the CCPA, announced a new ballot initiative for the November 2020 ballot, the California Privacy Rights and Enforcement Act of 2020, which would amend the CCPA.

Below is a brief summary of the amendments signed on October 11, the proposed regulations, and the new ballot initiative.

CCPA Amendments

AB 25—Employment-Related Information and Verifiable Requests. AB 25 amends the CCPA to exempt personal information collected by a business about its job applicants, employees, contractors, or other staff members, from most of the CCPA’s requirements until January 1, 2021. In addition, this bill clarifies that a business must require reasonable verification of consumers in connection to their CCPA requests, and it allows a business to require a consumer to use their existing account (if they have one) to make consumer requests.

AB 874—Definition of Personal Information. AB 874 tightens the definition of “personal information” under the CCPA to mean information that is “reasonably capable" (as opposed to merely "capable") of being associated with a consumer or household.

AB 1130—Information Triggering Breach Notice. AB 1130 adds new types of data to the list that triggers the CCPA’s data breach provision and to the list triggering California’s existing data breach notification requirement. These new data types include unique biometric data, tax identification numbers, passport numbers, military identification numbers, and other unique identification numbers issued on a government document.

AB 1146—Vehicle Information Exemption. AB 1146 clarifies that the CCPA-defined right of deletion and right to “opt out” of the sale of personal information do not apply if a business or service provider needs the personal information to fulfill the terms of a warranty or product recall that is conducted in accordance with federal vehicle safety law.

AB 1202—Data Broker Registration. Under AB 1202, businesses engaged in CCPA-defined “data sales” that involve personal information of consumers with whom they do not have a direct relationship must register with the California Attorney General’s Office. Failure to register exposes the business to civil penalties, injunctive relief, fees, and costs.

AB 1355—Miscellaneous Fixes. AB 1355 will exempt personal information related to certain business-to-business communications or transactions in the context of business due diligence from certain requirements of the CCPA until January 1, 2021. This exemption applies when personal information is collected during a communication or transaction between a business and a “consumer” who is not acting on behalf of themselves, but rather as an employee, owner, director, officer, or contractor of another business entity (i.e., a business contact).

Additionally, AB 1355 revises the CCPA’s nondiscrimination provisions by clarifying that differing prices or services may be provided based upon the value of the provided data to the business, rather than their value to the consumer. These revisions should make it easier for businesses to tie their loyalty incentives to the value of provided data.

Finally, AB 1355 provides additional clarifications and other technical amendments to a variety of provisions: clarifying the Fair Credit Reporting Act (FCRA) exemption; specifying that businesses do not need to collect personal information that they would not normally collect or retain it for longer than they otherwise would; providing additional rulemaking authority to the California Attorney General regarding compliance with verifiable consumer requests; and clarifying that a consumer’s private right of action is for data breaches of nonencrypted and nonredacted personal information.

AB 1564—Toll-Free Number Optional if Exclusive Online Operations. Currently, the CCPA requires businesses to have two or more designated methods for consumers to contact a business to make requests under the law, including a toll-free number and an internet website address. AB 1564 changes this requirement in that if a business operates exclusively online and has a direct relationship with a consumer, providing an email address for consumers to submit their requests would be sufficient.

CCPA Proposed Regulations

The CCPA, as amended to date, provides that the California Attorney General cannot enforce the CCPA until six months after publishing regulations pursuant to the CCPA or July 1, 2020, whichever is sooner. Comments on the Attorney General’s proposed regulations are due December 6, 2019, and the Attorney General’s office will hold public hearings on the regulations December 2–5 in Sacramento, Los Angeles, San Francisco, and Fresno.

The proposed regulations, which are available here, include guidance on the language for notices of collection of personal information; the right to opt out of the sale of personal information, and financial incentive, both online and offline; specifics of the contents and posting of a privacy policy; acceptable methods for submitting, responding to, and complying with consumer requests; employee training and record keeping; the verification process; special rules regarding minors under the age of 16; and methods for calculating value of a consumer’s data to a business.

New Ballot Initiative

The California Privacy Rights and Enforcement Act of 2020, available here, is an initiative that Californians for Consumer Privacy hopes to get on the November 2020 California ballot, as the same organization sought to do with the CCPA for the November 2018 election, which led to the California state legislature's hastily passing the CCPA instead. The 2020 ballot initiative would, among other things, create the independent “California Privacy Protection Agency”; amend the CCPA with regard to sensitive information, such as social security numbers, precise geolocation data, and information revealing racial or ethnic origin; address non-personalized advertising; establish a right to correct inaccurate data; and set forth additional contractual requirements between a business and service providers. If passed in November 2020, the ballot initiative would take effect January 1, 2021.

The CCPA’s January 1, 2020 effective date is fast approaching, with finalized regulations to follow close behind and further changes spurred from the 2020 ballot initiative waiting in the wings.

If you would like assistance with complying with these requirements, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
News

Jeannine Moentmann Becomes President of St. Louis Paralegal Association for 2021-2022

More
Client Alert

Missouri Supreme Court Reverses Overtime Wages Judgment Resulting from Employer-Mandated Screenings Under the Portal-to-Portal Act

More
News

Lewis Rice Welcomes 2021 Summer Associates

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
News

A Lawyer’s Guide to the Galaxy Podcast Named Among Best Copyright Law Podcasts for 2021 by Welp Magazine

More
Client Alert

CROWN Act Legislation on the Verge of Passage in St. Louis City & County

More
Diversity & Inclusion

Lewis Rice Launches “Next Level” Diversity and Inclusion Programs

More
News

Michael D. Mulligan, Mysun Charitable Foundation Recognized at Greensfelder Park Ribbon Cutting Ceremony

More
Client Alert

Colorado Joins the Bandwagon, Enacts Comprehensive Privacy Law

More
Diversity & Inclusion

Law Firm ILN-telligence Podcast Hosts Ronald A. Norwood to Discuss Mentorship, Diversity & Inclusion in the Legal Industry, and the Importance of Equity for All

More
Client Alert

The Changing Workplace Following the Latest CDC Mask Guidance

More
Client Alert

Supreme Court Hands Down Unanimous Decision Limiting FTC’s Ability to Seek Monetary Relief

More
News

Jeremy P. Brummond Presents at Webinar for Experienced Construction Attorneys

More
News

Claims Filed for Compensation in North Carolina Ecusta Trail Rail-to-Trail Case

More
Client Alert

DOL Publishes Cybersecurity Guidance for Benefits Plans

More
Client Alert

First-Issued Interim Final Rule Gives Guidance on No Surprises Act

More
Client Alert

The New Standard Contractual Clauses: Scope, Impact, and Next Steps

More
Client Alert

EEOC Issues Updated Guidance on COVID Vaccination Policies

More
Client Alert

Missouri Supreme Court Holds that Public Governmental Bodies May Not Charge for Attorney Review Time

More