California Consumer Privacy Act Update – Governor Signs Final Amendments (for This Year) and AG Releases Draft Regulations
Governor Signs Final Amendments Prior to January 1, 2020 Effective Date
The California legislature passed several amendments to the California Consumer Privacy Act (CCPA) at the end of this year’s session: AB 25, AB 874, AB 1146, AB 1355, and AB 1564. On October 11, 2019, the Governor approved them all.
Several of the amendments include common-sense limitations on certain CCPA obligations. Two amendments, in particular, work to limit the CCPA’s scope.
- First, AB 25 excludes from most CCPA coverage personal information of a business’s job applicants, employees, and others similarly situated. Specifically, AB 25 exempts information “collected from a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor [defined to require a written contract] of the business.” Importantly, this amendment does not remove certain notice rights of job applicants, employees, and others, and does not remove these individuals’ rights to pursue a private right of action against a business if their personal information is breached. This provision will sunset after one year, meaning that unless it is extended, job applicants, employees, and others covered by this amendment will be treated like any other consumer under the law, with all corresponding rights.
- Second, AB 1355 exempts certain B2B information from certain CCPA consumer rights. Specifically, AB 1355 provides a one-year exemption, from several but not all CCPA provisions, for “personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.” As with AB 25, unless extended, this exemption will sunset in one year and does not remove an individual’s right to pursue a private right of action if their information is compromised in a breach.
Additionally, some amendments refine the definition of personal data. AB 874 adds a reasonableness qualification, redefining personal information as “information that ... is reasonably capable of being associated with ... a particular consumer or household.” AB 1355 – in addition to its B2B exemption – further clarifies the definition of personal information to confirm that deidentified or aggregate consumer information is excluded.
The legislature also clarified the obligations of a business that sells goods only via a website. Specifically, AB 1564 provides that businesses that both operate exclusively online and have a direct relationship with the consumer are only required to provide one method to submitting requests for exercise of consumer rights, and that method can be an email address. Thus, this amendment removes the requirement to maintain a toll-free number for non-brick-and-mortar businesses.
Beyond CCPA amendments, the legislature adopted an amendment to California’s data breach law that works to expand the risk of liability under the CCPA. Specifically, AB 1130 revises the definition of “personal information” in the California data breach law to include unique biometric data such as “a fingerprint, retina, or iris image, used to authenticate a specific individual,” as well as other data elements, including tax identification numbers, passport numbers, military identification numbers, or other unique identification numbers (e.g., driver’s license numbers or California identification card numbers). Given the fact that the CCPA’s private right of action for data breaches is tied to the definition of “personal information” in this law, this expansion expands the scope of the CCPA’s private right of action.
With the legislative session closed for the year, there will be no further amendments to the law before it takes effect on January 1, 2020.
AG Releases Draft Regulations
On October 10, 2019, California Attorney General (AG) Xavier Becerra released the long-awaited draft regulations for CCPA. These rules, once finalized, will govern compliance with the CCPA.
The proposed regulations establish procedures and provide guidance for businesses covered under the CCPA. The draft regulations cover a lot of ground. For example, the proposed regulations detail what notice must be provided at the time of data collection – distinguishing between online and offline (in person) collection. They also outline the notice that must be provided to consumers about how to exercise an opt-out request. For those businesses offering financial incentives or price of service differences, a description of the specific notice that must be provided about those offerings is also detailed in the draft. The draft regulations also detail requirements related to privacy policies, business practices for handling consumer requests, verification procedures, training, record-keeping, and minors.
The release sets into motion a series of events and deadlines in the formal rulemaking process, through which interested stakeholders will have multiple opportunities to engage. Specifically, the AG plans to hold four public hearings, where interested parties can present oral or written testimony. Those hearings are scheduled for December 2 in Sacramento, December 3 in Los Angeles, December 4 in San Francisco, and December 5 in Fresno. Additionally, the Attorney General will accept written comments until December 6.
Joan Stewart | 202.719.7438 or email@example.com
Kathleen Scott | 202.719.7577 or firstname.lastname@example.org