On Friday, October 11, 2019, California’s Governor Gavin Newsom signed five bills that directly amend the California Consumer Privacy Act (CCPA) and two other bills that affect the CCPA. Together, the bills change almost every section of the CCPA.
While it is important to understand the effects of these revisions to the CCPA, they are relatively narrow in scope, and the core provisions of the CCPA remain largely intact, making it crucial for businesses to continue preparations for the law’s January 1, 2020 effective date. Here are highlights of the seven bills that Governor Newsom signed:
- Employee Exemption: Assembly Bill 25 creates a one-year period during which much of the CCPA’s requirements will not apply to the personal data collected from job applicants, employees, business owners, directors, officers, medical staff, or contractors when the information is collected solely in the context of that person’s role or former role in the business. This exemption, however does not remove the notice requirement under 1798.100(b) or exempt the data from consumer private right of action under Section 1798.150. Employers will still need to conduct the due diligence necessary to revise the employee privacy notices and have them revised before January 1, 2020.
- Business to Business Exemption: Assembly Bill 1355 exempts from the CCPA B2B communications or transactions until January 1, 2021. B2B communications or transactions include marketing and transactional emails between a business and a consumer who is a natural person and who is acting in the role of an employee, owner, director, officer, or contractor of a government agency or business. The communications or transactions between the consumer and the business must occur solely within the context of the business conducting due diligence regarding or providing or receiving a product or service to or from that business or government agency.
- Toll-free number eliminated for online businesses: Assembly Bill 1564; Before this bill was introduced, the law required businesses to provide two methods for consumers to submit requests for information, including a toll-free telephone number. This amendment allows for businesses that operate exclusively online and have a direct relationship with a consumer, to eliminate the requirement of a toll-free number and allows them to only provide an email address for consumers who submit CCPA requests.
- Publicly Available Information: Assembly Bill 874 excludes “publicly available information” that is lawfully made available from federal, state, or local government records, from the definition of personal information. The amendment also clarifies that the definition of “personal information” excludes deidentified or aggregate consumer information.
- Amendment of Personal Information definition. Assembly Bill 874 clarifies that “personal information” does not include “consumer information that is deidentified or aggregate consumer information.” (Cal Civ. Code § 1798.140(o)(3)).
- Data Broker Registration: Assembly Bill 1202 requires data brokers to register with the California Attorney General. This provision defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Because the CCPA’s definitions of “sale,” “personal information,” “business,” “collect,” “consumer” and “third party” are particularly expansive under the law, this requirement may reach beyond what most businesses would typically consider to be a data broker.
- Data Breach: Assembly Bill 1130 revises the personal information definition to add specified unique biometric data, and unique government issued identification numbers such as tax identification numbers, passport numbers, and military identification numbers. The amendment also authorizes a person or business that is required to issue a security breach notification to include notification for breaches involving biometric data.
Given the overall complexity of the CCPA, these amendments are generally very limited in nature and still leave a number of questions about CCPA compliance unanswered. Most importantly, the amendments did not subtract the number of steps that covered businesses must take in order to comply by the effective date.
Companies are now turning their attention to the draft regulations proposed by the California Attorney General on October 10, 2019 to determine how the implementing regulations will shape their compliance obligations. The draft regulations attempt to provide clarity in areas where there was previous uncertainty. Despite high hopes, however, the regulations do not provide the desired level of clarity, in part, because they are not aligned with the Amendments that were just signed into law.
For example, AB 1564 clearly states that online only retailers are not required to provide a toll free number as a designated method for processing consumer requests. But, section 999.312 of the draft regulations still includes language mandating a toll free phone number as one of the two methods available to consumers. Perhaps this is one of the issues that will be addressed during the period for public comments and before the regulations are finalized in the spring of 2020. Public comments on the draft regulations are due December 6, 2019. Please see the specific implementing regulations here.
Michael Best’s Privacy and Cybersecurity team has kept pace with the CCPA developments by creating templates and tools that can be customized to all size businesses across all affected industries. We have also explored and designed practical solutions to minimize compliance challenges of the core provisions of the law. Please reach out to our team for a consultation about the next best steps between now and the time that the CCPA becomes official on January 1, 2020.