Recent Activity Affecting the California Consumer Privacy Act: Amendments, Regulations, and More

October 2019

Lately, there has been a slew of updates to the California Consumer Privacy Act (the “CCPA”).  Most notably, on October 11, 2019, California Governor’s Gavin Newsom signed multiple bills into law which amend the CCPA, which was passed in June of 2018 and subsequently amended in September 2018 (as discussed here and here).  As you may know, the CCPA regulates the collection, disclosure and sale of personal information for for-profit businesses that do business in California and (a) have annual gross revenue over $25 million; (b) possess personal information of more than 50,000 California consumers or households; or (c) derive more than 50% of their revenue from selling personal information. It does not apply to nonprofit or political organizations; covered entities collecting health information pursuant to the Confidentiality of Medical Information Act or the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), consumer reporting agencies selling personal information to be used in a consumer report, financial institutions collecting or selling personal information pursuant to the  Gramm-Leach-Bliley Act (“GLBA”), or businesses collecting or selling personal information pursuant to the Driver’s Privacy Protection Act of 1994 (“DPPA”).  Most of the recent amendments to the CCPA clarify or provide exemptions to certain aspects of the CCPA.

Additionally, after much anticipation, on October 10, 2019, the California Attorney General released proposed regulations for implementing the CCPA.  Lastly, on September 24, 2019, the drafter of the 2018 ballot initiative that eventually became the CCPA, announced a new ballot initiative for the November 2020 ballot, the California Privacy Rights and Enforcement Act of 2020, which would amend the CCPA.

Below is a brief summary of the amendments signed on October 11, the proposed regulations, and the new ballot initiative.

CCPA Amendments

AB 25—Employment-Related Information and Verifiable Requests. AB 25 amends the CCPA to exempt personal information collected by a business about its job applicants, employees, contractors, or other staff members, from most of the CCPA’s requirements until January 1, 2021. In addition, this bill clarifies that a business must require reasonable verification of consumers in connection to their CCPA requests, and it allows a business to require a consumer to use their existing account (if they have one) to make consumer requests.

AB 874—Definition of Personal Information. AB 874 tightens the definition of “personal information” under the CCPA to mean information that is “reasonably capable" (as opposed to merely "capable") of being associated with a consumer or household.

AB 1130—Information Triggering Breach Notice. AB 1130 adds new types of data to the list that triggers the CCPA’s data breach provision and to the list triggering California’s existing data breach notification requirement. These new data types include unique biometric data, tax identification numbers, passport numbers, military identification numbers, and other unique identification numbers issued on a government document.

AB 1146—Vehicle Information Exemption. AB 1146 clarifies that the CCPA-defined right of deletion and right to “opt out” of the sale of personal information do not apply if a business or service provider needs the personal information to fulfill the terms of a warranty or product recall that is conducted in accordance with federal vehicle safety law.

AB 1202—Data Broker Registration. Under AB 1202, businesses engaged in CCPA-defined “data sales” that involve personal information of consumers with whom they do not have a direct relationship must register with the California Attorney General’s Office. Failure to register exposes the business to civil penalties, injunctive relief, fees, and costs.

AB 1355—Miscellaneous Fixes. AB 1355 will exempt personal information related to certain business-to-business communications or transactions in the context of business due diligence from certain requirements of the CCPA until January 1, 2021. This exemption applies when personal information is collected during a communication or transaction between a business and a “consumer” who is not acting on behalf of themselves, but rather as an employee, owner, director, officer, or contractor of another business entity (i.e., a business contact).

Additionally, AB 1355 revises the CCPA’s nondiscrimination provisions by clarifying that differing prices or services may be provided based upon the value of the provided data to the business, rather than their value to the consumer. These revisions should make it easier for businesses to tie their loyalty incentives to the value of provided data.

Finally, AB 1355 provides additional clarifications and other technical amendments to a variety of provisions: clarifying the Fair Credit Reporting Act (FCRA) exemption; specifying that businesses do not need to collect personal information that they would not normally collect or retain it for longer than they otherwise would; providing additional rulemaking authority to the California Attorney General regarding compliance with verifiable consumer requests; and clarifying that a consumer’s private right of action is for data breaches of nonencrypted and nonredacted personal information.

AB 1564—Toll-Free Number Optional if Exclusive Online Operations. Currently, the CCPA requires businesses to have two or more designated methods for consumers to contact a business to make requests under the law, including a toll-free number and an internet website address. AB 1564 changes this requirement in that if a business operates exclusively online and has a direct relationship with a consumer, providing an email address for consumers to submit their requests would be sufficient.

CCPA Proposed Regulations

The CCPA, as amended to date, provides that the California Attorney General cannot enforce the CCPA until six months after publishing regulations pursuant to the CCPA or July 1, 2020, whichever is sooner. Comments on the Attorney General’s proposed regulations are due December 6, 2019, and the Attorney General’s office will hold public hearings on the regulations December 2–5 in Sacramento, Los Angeles, San Francisco, and Fresno.

The proposed regulations, which are available here, include guidance on the language for notices of collection of personal information; the right to opt out of the sale of personal information, and financial incentive, both online and offline; specifics of the contents and posting of a privacy policy; acceptable methods for submitting, responding to, and complying with consumer requests; employee training and record keeping; the verification process; special rules regarding minors under the age of 16; and methods for calculating value of a consumer’s data to a business.

New Ballot Initiative

The California Privacy Rights and Enforcement Act of 2020, available here, is an initiative that Californians for Consumer Privacy hopes to get on the November 2020 California ballot, as the same organization sought to do with the CCPA for the November 2018 election, which led to the California state legislature's hastily passing the CCPA instead. The 2020 ballot initiative would, among other things, create the independent “California Privacy Protection Agency”; amend the CCPA with regard to sensitive information, such as social security numbers, precise geolocation data, and information revealing racial or ethnic origin; address non-personalized advertising; establish a right to correct inaccurate data; and set forth additional contractual requirements between a business and service providers. If passed in November 2020, the ballot initiative would take effect January 1, 2021.

The CCPA’s January 1, 2020 effective date is fast approaching, with finalized regulations to follow close behind and further changes spurred from the 2020 ballot initiative waiting in the wings.

If you would like assistance with complying with these requirements, please contact one of our Cybersecurity & Data Privacy attorneys.