California’s New Privacy Law: Recent Amendments and Approaching Compliance Deadlines
Privacy & Cybersecurity Update
Date: September 30, 2019
As we discussed in previous Privacy & Cybersecurity Updates (“California Expands Consumer Privacy Protections” and “Amendments to California Privacy Law Will Impact Businesses”), the California Consumer Protection Act (CCPA) is an expansive, rights-based approach to privacy with national and international ramifications that will likely serve as a template for other states as they draft their own consumer privacy and data protection legislation. The time for compliance is now, as the CCPA takes effect on January 1, 2020, and it includes a “look back” period, which makes it critical for businesses to evaluate their data practices in the months leading up to its effective date.
Given how quickly the CCPA originally was drafted, even the bill’s sponsors knew that amendments would be necessary before its effective date. On September 13, the very last day available on the legislative calendar, the California State Assembly passed a package of amendments clarifying the law’s application, as well as certain compliance obligations businesses now face under the CCPA. California Governor Gavin Newsom now has until October 13 to act on the amendments.
The amendments passed by the California legislature on September 13 include:
- Employee exemption. Assembly Bill 25 amends the CCPA to delay for one year its application to the collection and use of employees’ and prospective employees’ personal information, including data obtained from job applicants, business owners, directors, officers, medical staff or contractors. However, this exemption does not apply to the CCPA’s private right of action provision, nor does it apply to a business’s obligation to notify California residents, at or before the time it collects personal information, of the categories of personal information it collects and the purposes for which the information will be used. Therefore, covered businesses still must provide notice of their data processing activities to their employees, job candidates and others. However, to the extent a business is gathering employees’ and job candidates’ information in their capacity as consumers, and not as employees and applicants, this exemption does not apply, and such individuals are afforded all applicable data privacy rights under the CCPA.
- Narrowed scope of personal information. Assembly Bill 874 amends the CCPA’s definition of “personal information” so it only applies to information that is “reasonably capable” of being associated, linked or identified with a consumer or household. While that change might seem slight, data such as IP addresses or geolocation data will only be subject to the CCPA if it can “reasonably” be associated with a consumer or household. The amendment further specifies that personal information does not include deidentified or aggregated consumer information. In turn, Assembly Bill 874 defines “deidentified” data as information that “cannot reasonably” identify, relate to or describe a particular consumer, provided that a business using deidentified information has implemented technical safeguards that prohibit reidentification of the data; has implemented business processes that prohibit such reidentification and prevent inadvertent release of deidentified information; and makes no attempt to reidentify the information.
- Business-to-business data. Assembly Bill 1355 exempts from several of the CCPA’s requirements personal information on individuals that a covered business obtains as part of certain business-to-business transactions or relationships. For example, the CCPA will not apply to personal information conveyed between a business and a California resident when the resident is acting as the business’s employee, owner, director, officer or contractor, if the communication or transaction occurs in connection with the business conducting due diligence regarding, providing or receiving a product or service from another business. Therefore, businesses will not have to notify these individuals of their data processing activities or establish processes enabling them to request the deletion of their personal information. These changes reflect practical steps taken by the California legislature to address the difficulty of implementing such notice and erasure rights in a purely business context.
However, this exemption on general business-related information does not apply to the CCPA’s provision granting individuals the right to opt out of the sale of their data or its anti-discrimination provisions. The non-applicability of the “opt-out” rights clause in Assembly Bill 1355 is especially important in the context of businesses that share vendor and supplier information with affiliates or subsidiaries, which may implicate the “do not sell” rights within the meaning of the CCPA. The exemptions set forth in Assembly Bill 1355 have a one-year sunset clause and will become inoperative on January 1, 2021.
- Data broker registration. Assembly Bill 1202 requires data brokers to register with the California Attorney General and that the Attorney General make this list publicly available. Under the CCPA, a data broker is defined as a business that knowingly sells personal information it collects from consumers with whom it does not have a direct relationship. According to the California legislature, a data broker collects many hundreds or thousands of data points about consumers from multiple sources, and although they may provide information beneficial to services offered in the modern economy, they also create risks associated with the widespread aggregation and sale of consumers’ data. A data broker who fails to register with the Attorney General could be subject to a broad range of regulatory actions.
- Consumer rights request methods. Assembly Bill 1564 provides that businesses operating exclusively online that have a direct relationship with consumers from whom they collect personal information need only provide an email address for consumers to request data. All other businesses must offer two or more designated methods for consumers to submit data requests, including, at a minimum, a toll-free telephone number. Additionally, if a business maintains a website, it is now also required to make its website address available to consumers to submit requests.
- Publicly available information. The CCPA exempts “publicly available” information from its definition of personal information. Assembly Bill 874, in turn, streamlines and clarifies the definition of “publicly available” to mean information that is lawfully made available from federal, state or local government records.
- Vehicle warranties and recalls. Assembly Bill 1146 exempts from the CCPA’s “do not sell” requirement personal information and other data related to vehicles and warranties. Specifically, Assembly Bill 1146 addresses the sale of “vehicle information,” which includes a vehicle’s information number, make, model, year and odometer reading, and “ownership information,” which means the “name or names of the registered owner or owners and the contact information for the owner or owners.” The amendment would exempt a covered business from having to offer the right to opt out of the sale of vehicle or ownership information retained or shared between motor vehicle dealers and vehicle manufacturers when the information is shared for the purpose of a vehicle repair covered by a warranty or recall. In addition, Assembly Bill 1146 would exempt covered businesses from having to comply with a consumer’s request to delete his or her personal information if the business must maintain the information to fulfill a written warranty or product recall’s terms (when conducted according to federal law).
- Clarifications and exemptions. Assembly Bill 1355 broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA) to now exempt all personal information that relates to a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living collected by a consumer reporting agency. Under the current version of the CCPA, this FCRA exemption is limited to only cover consumer reports. However, the FCRA exemption set forth in Assembly Bill 1355 does not apply to the CCPA’s provision creating a privacy right of action related to a data breach.
- Clarified “do not sell” and anti-discrimination provisions. Assembly Bill 1355 clarifies that a business must obtain an affirmative authorization from a consumer who is at least 13 but less than 16 years of age to sell that consumer’s personal information. In addition, it prohibits businesses from discriminating against consumers from exercising any of their rights under the CCPA, except if the differential treatment is reasonably related to the value a consumer’s data provides to the business. This means a business may offer a different price, rate, level or quality of goods or service to a consumer if that price or service is directly related to the value the consumer’s data provides to the business.
The CCPA is a comprehensive U.S. data privacy law, and entities doing business in California need to ensure they comply or they risk severe penalties. Businesses should not wait to implement their compliance policies, as the CCPA goes into effect on January 1, 2020. While the California Attorney General’s enforcement is not expected until at least July 1, 2020, consumer lawsuits, including class actions, could start in early 2020. It is important to remember that the CCPA can apply to even businesses that do not have offices and employees in California, and that it can apply to activities conducted outside of California.
Companies that evaluate their internal data regulation and privacy policies and take proactive steps to update them will aid in their organization’s timely compliance with the CCPA, while also minimizing business risks. The keys to being ready for the CCPA are to identify the data being collected and retained; have established notices, processes and procedures to comply with the CCPA’s substantive and procedural requirements; and have mechanisms and processes to respond to data requests, which should be included in the company’s website privacy statements.
Our team will continue to monitor developments in the California legislature and Attorney General’s office and provide further updates.
FOR MORE INFORMATION
For more information, please contact:
Thomas F. Zych
Steven G. Stransky
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2019 THOMPSON HINE LLP. ALL RIGHTS RESERVED.