United States: Closing Bell: California Legislature Passes Numerous CCPA Amendments And Other Privacy Bills On Final Day Of 2019 Session

Last Updated: September 24 2019
Article by David Navetta, Adam Connolly and Christian Lee

The last day of California's 2019 legislative session on Sept. 13, 2019 saw a flurry of legislative activity as numerous CCPA amendments passed in the Assembly, after being amended in the Senate, and were sent to the governor for his consideration. The more substantial amendments sought by industry groups—including those seeking relief for the adtech ecosystem – failed to pass. The amendments that did pass do not fundamentally decrease the CCPA compliance effort facing most businesses. And in some cases the amendments broaden the CCPA's reach, most notably, by classifying businesses that knowingly "sell" certain personal information as data brokers who must register with the California Attorney General ("California AG" or "AG"), and by expanding the types of data breaches that can trigger the CCPA's private right of action. However, new grace periods for certain personal information collected in the B2B and HR contexts will come as a welcome reprieve for many companies.

The bills, which the governor must sign or veto by Oct. 13, 2019, include (click the bill number for additional detail and analysis):

  • AB 1130 expands the scope of "personal information" covered by California's data security and breach notification statutes to include certain government-issued identification numbers and unique biometric identifiers, which in turn expands the types of data breaches that are actionable under the CCPA's private right of action and qualify for statutory damages
  • AB 25 temporarily exempts personal information of employees and other "HR data" from the obligation to honor some CCPA rights (access, opt-out of sales, and deletion), but not others (privacy notice, private right of action with statutory damages)
  • AB 1202 classifies any business, that knowingly "sells" (as defined under the CCPA) personal information of consumers with whom the business does not have a direct relationship, as a "data broker" that must register with the California AG
  • AB 1355 establishes a one-year grace period for some CCPA requirements with respect to certain personal information exchanged in the B2B context, and broadens the CCPA's FCRA exemption
  • AB 874 clarifies the scope of "personal information", "deidentified" and "aggregated information" under the CCPA
  • AB 1564 requires businesses that operate exclusively online to provide an email address that certain consumers can use to submit CCPA information requests, but provides that this email address – rather than a toll-free phone number or web page – can be the sole method for submitting such requests. The bill also allows businesses to take a risk-based approach to verifying the identities of consumers exercising their CCPA rights
  • AB 1146 partially exempts personal information needed for vehicle warranties or recalls from the obligation to honor deletion requests, and partially exempts vehicle and ownership information kept by or exchanged between car dealers and manufacturers from the obligation to honor requests to opt-out of "sales"

ADDITIONAL DETAILS

AB 1130

Expands the scope of personal information governed by California's breach notification and reasonable security laws to include first name or first initial and last name in combination with:

  • Tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
  • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

Our take

This change will increase the number of security incidents that must be reported under California's breach notification law, and that will be actionable under the CCPA's private right of action if the breach resulted from failure to protect this information with "reasonable" security procedures and practices required by California's data security law.

AB 25

Keeps employer-held personal information within the scope of the CCPA, but exempts for one year—until January 1, 2021—most CCPA requirements relating to personal information of:

  • a business's job applicants, employees, owners with a controlling interest, directors, officers, medical staff members (certain licensed doctors, dentists and podiatrists), and contractors who are California residents ("California Personnel"), when the personal information is used within the context of that person's role;
  • the emergency contacts of any California Personnel that a business collects and uses solely to keep emergency contacts on file; and
  • beneficiaries and other individuals associated with California Personnel that a business collects and uses solely to administer benefits.

This grace period does not apply to:

  • the requirement to give a privacy notice to California Personnel at or before the point of collection of their personal information (e.g., on web pages collecting job applications, during employee on-boarding) explaining the categories of personal information to be collected and the purposes for which they are used; or
  • the private right of action for data breaches resulting from failure to protect this information with "reasonable" security procedures and practices required by California's data security law.

Our take

Businesses should move forward with CCPA compliance by January 1, 2020 with respect to personal information of California Personnel by: (1) preparing and delivering privacy notices; and (2) confirming that they have applied reasonable security measures designed to protect personal information of California Personnel regulated by California's data security law (the definition of which was amended by AB 1130).

After the grace period expires on January 1, 2021, unless the legislature takes steps to continue the exemption, businesses will be bound by all of the CCPA's requirements in the HR context, such as honoring Californians' access and deletion requests.

AB 1202

Classifies as a "data broker" any business that knowingly collects and sells to third parties personal information of a consumer with whom the business does not have a direct relationship. Such data brokers must register with the California AG and pay a registration fee. The data broker must provide its name and physical, email, and website addresses, and may optionally explain its data collection practices. The California AG must post the information submitted by data brokers to a public website.

While incorporating defined terms from the CCPA (e.g., "business", "consumer", "collect", "sell"), AB 1202 creates a new statute that the California AG can enforce with injunctive relief and monetary penalties, including daily penalties of $100, the registration fee, and expenses incurred by the California AG to investigate and prosecute the case.

Our take

AB 1202's use of the CCPA's broad definition of "sale" to define a "data broker" will sweep in many businesses that do not engage in typical data broker activities. While the bill aims to increase transparency, requiring such a broad class of "data brokers" to register on the California AG's site may make it more difficult for consumers to identify which businesses are actually "selling" their personal information in the common sense meaning of the word. In addition, the law will make it easier for consumers, plaintiff lawyers, and privacy advocacy groups acting on their behalf, to identify businesses that "sell" personal information under CCPA and target them with opt-out requests.

AB 1355

B2B Data exemption. This bill exempts, until January 1, 2021, the following personal information ("B2B Data"):

[P]ersonal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.

B2B Data is exempted from the requirements under CCPA to:

  • give a privacy notice at or before the time of collection of personal information
  • honor access and deletion requests
  • post a Do Not Sell My Personal Information link on the business's homepage

However, B2B Data is not exempted from the requirement under the CCPA to honor:

  • the right to opt-out of sales
  • the right to non-discrimination

FCRA exemption. The CCPA currently exempts "the sale of personal information to or from a consumer reporting agency" that is used to generate a consumer report under the Fair Credit Reporting Act ("FCRA"). This bill broadens the exemption to "an[y] activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency" so long as the activity is "authorized" by the FCRA. However, the FCRA exemption does not shield consumer reporting agencies or other businesses against the private right of action or statutory damages under the CCPA for data breaches.

Our take

B2B Data exemption. Businesses hoping that the legislature would correct the CCPA by acknowledging that it was not intended to cover business contact information got the opposite answer: explicit recognition that the CCPA does govern this information. AB 1355 also gave a consolation prize in the form of a limited, one-year grace period, but it is not straightforward and raises several interpretive questions:

  • If a business gets a vendor representative's contact information not from the vendor, but from a third party participating in the same transaction with the business and the vendor, does the grace period apply to that contact information?
  • If the grace period does not apply to sales leads purchased from a data broker, would the grace period attach (a) if the business actually contacts those sales leads to offer a product or service or as part of "due diligence" into a potential business relationship, (b) once the lead is converted into a customer, or (c) not at all?
  • Finally, if the grace period exempts a business from giving privacy notices to, or posting "Do Not Sell My Personal Information" links for, business contacts but does not exempt the business from honoring requests to opt out of sales, is the business required to offer any explanation of how exercise the opt out right?

The text of AB 1355 offers no clear answers to any of these questions.

Moreover, the exemption from the obligation to give privacy notices and post "Do Not Sell My Personal Information" links may be at best marginally helpful if businesses have to implement them anyway for prospective customers and other business contacts who do not fall within the scope of the exemption. However, the challenges posed by CCPA's access and deletion requirements are considerable, and the one-year reprieve from having to deal with access and deletion requests from most end users of online B2B accounts and other business contacts will be welcome to many.

FCRA exemption. By enlarging the FCRA exemption beyond just "sales" of personal information to include other activities "authorized" by the FCRA, the bill now comes closer to harmonizing the FCRA exemption with the Gramm-Leach-Bliley Act ("GLBA") exemption, removing some doubts about its application to FCRA-regulated data use. However, businesses must still maintain reasonable security measures under California's data security law for personal information subject to FCRA, since the exemption does not extend to the CCPA's private right of action or statutory damages for data breaches.

AB 874

The bill clarifies the scope of "personal information" under the CCPA in three respects:

  • "Publicly available" information. The bill fixes a drafting error to clarify that the "publicly available" information excluded from the definition of "personal information" refers to "information that is lawfully made available from federal, state, or local government records."
  • Deidentified or aggregated information. The bill clarifies that personal information "does not include consumer information that is deidentified or aggregate consumer information," which was not previously explicit due to a different drafting error.
  • Information "reasonably" capable of being associated. To address concerns that "personal information" could be read to include information that is only theoretically capable of being linked with a consumer or household, the bill revises the definition of "personal information" to refer to information "that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household" (emphasis added).

Our take

The modifications to publicly available information and deidentifed/aggregated information are non-substantive drafting error corrections. However, the addition of the "reasonably" qualifier to the definition of "personal information" was viewed by the California Chamber of Commerce, who championed the amendment, as necessary to avoid extreme results. If personal information included any information theoretically capable of being associated with a consumer or household, the Chamber argued (see 09/11/19 Assembly Floor Analysis) that a brick and mortar store could, for example, be forced to search security camera footage to figure out where a customer appears in it and give the footage back to the customer in response to an access request—even if the business had never linked the footage to anyone.

In addition, the change harmonizes the CCPA's definition of "personal information" with the FTC's Privacy Framework (focusing on data "that can be reasonably linked to a specific consumer, computer, or device") and the CCPA's existing definition of "deidentified," which already includes a similar "reasonably" qualifier ("information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer") (emphasis added).

AB 1564

"Toll-free number" exemption. The CCPA requires businesses to provide two or more methods by which consumers can submit information requests under the CCPA, including a toll-free telephone number and a web page if the business operates a website. This bill changes that for businesses that operate "exclusively" online and have a "direct relationship" with a consumer from whom the business collects personal information. Such businesses are required only to designate an email address that may be the sole method by which that consumer can submit CCPA information requests.

Risk-based identity verification. The CCPA requires businesses to "reasonably verify" the identities of individuals making information, access and deletion requests under the CCPA. This bill clarifies that businesses can require a level of verification that is "reasonable" in light of the personal information requested (but they still cannot require consumers to create accounts with the business).

Our take

"Toll-free number" exemption. AB 1564 will spare many online businesses that do not have "brick and mortar" interactions with consumers from the burden of establishing new toll free phone numbers for use by consumers with whom they are already communicating online. However, if a business collects personal information about consumers with which it does not have a direct relationship, the business will still need to offer a toll free number that those consumers can use to make CCPA information requests. In addition, "operates exclusively online" is not defined and it is not clear whether an online business can qualify for this exemption with respect to individuals with whom it interacts in corporate offices or occasional offline events or promotions. As a result, many online businesses may find it most expedient to simply a establish a toll free number rather than parse their eligibility for the exemption.

Risk-based identity verification. The amendment acknowledges that identity verification should not be a one size fits all proposition, and that it may be necessary for businesses to require more stringent identity verification for access or deletion requests involving more sensitive personal information.

AB 1146

This bill creates two limited exemptions for car dealers and manufacturers for personal information and vehicle information related to recalls and warranty service.

First, the bill provides that personal information is exempt from the deletion requirement if it is needed to fulfill a warranty or recall in accordance with federal law.

Second, the bill provides that the right to opt-out of "sales" of personal information does not extend to "vehicle information" (number, make, model year, and odometer reading of a vehicle) and "ownership information" (the names and contact information for the vehicle owners) retained or shared between by dealers and manufacturers, if used for vehicle warranty or recall purposes of federal law. Notably, the vehicle and ownership information exemption does not apply to other CCPA rights, such as the right of access or deletion.

Our take

The CCPA contains a general exemption providing that it does not restrict a business's ability to comply with federal, state, or local laws. However, AB 1146 shows that for at least one industry group – auto dealers and manufacturers – the general exemption was not-enough. Other industry groups may well follow suit and seek explicit industry-specific exemptions for legal compliance activities in the 2020 legislative session, which will undoubtedly see another wave of attempts to modify the CCPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Wilson Sonsini Goodrich & Rosati
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Wilson Sonsini Goodrich & Rosati
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions