The California legislature passed several amendments to the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 to 1798.190) (the “CCPA”) on September 13, 2019. (See our previous blog posts here: Which CCPA Amendments Made the Cut? and Potential Changes to the CCPA; California Senate Considers Amendments). These amendments will soon head to Governor Newsom’s desk for signature. Among other things, the amendments:
- Revise the definition of personal information;
- Create limited exemptions for employment-related personal information and personal information involved in business-to-business communications and transactions;
- Create an exemption for information related to consumer warranties and product recalls and vehicle ownership information;
- Clarify the exemption for certain personal information used in consumer reports; and
- Clarify the “value test” established in the CCPA’s anti-discrimination provisions.
Below is a description of the amendments:
Definition of Personal Information. The California Senate and Assembly approved AB 874, which cabins the definition of “personal information” to that which is “reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information includes information that is “reasonably” capable of being associated with identifiers listed in the CCPA, including, but not limited to, real name, alias, postal address, internet protocol address, and social security number. AB 874 further amends the CCPA to exclude from personal information deidentified or aggregate consumer information.
Additionally, AB 874 simplifies the definition of publicly available information, which is excluded from personal information. The bill removes the conditions required for information to qualify as public information. Instead the term is amended to mean “information that is lawfully made available from federal, state, or local government records.” However, publicly available information still excludes biometric information collected without the consumer’s knowledge.
Exemptions for Employment Information. The original version of AB 25 approved by the State Assembly broadly excluded personal information of employees, contractors, and job applicants from the CCPA. The Assembly and Senate approved a modified version which provides a more limited exemption. AB 25 now provides that the statute does not apply to the personal information of job applicants, employees, and contractors that a business collects in the course of employment or the application process, but only to the extent solely used in the context of the job application or the employment relationship. In addition, businesses must inform employees, contractors, and applicants, at or before the point of collection, of the categories of personal information to be collected and the purposes for which such information will be used. This information also remains subject to the private right of action established in the law for certain security incidents.
The amendment adds an additional exemption for consumer personal information involved in business to business communications or transactions. The exemption does not apply to the right to opt out of data sales, and the information remains subject to a private right of action for certain security incidents. The non-discrimination provisions of the statute also continue to apply.
AB 25 will become inoperative on January 1, 2021. Employment-related information will become subject to the full set of requirements of the CCPA on and after that date unless California first enacts an employee privacy law.
Exemptions for Warranties, Product Recall, and Vehicle Ownership Information. AB 1146 creates exemptions to the CCPA’s right to delete and right to opt out for certain categories of information. Businesses are no longer required to comply with a consumer’s request to delete personal information if the request pertains to information the business needs to “fulfill the terms of a written warranty or product recall conducted in accordance with federal law.” Businesses are also not required to comply with requests to opt out of sales relating to vehicle ownership information shared between a “new motor vehicle dealer” and the manufacturer regarding vehicle repairs relating to warranty work or recalls provided that the dealer or manufacturer does not sell, share, or use the information for any other purpose.
Exemption for Personal Information in Consumer Reports. The California legislature amended and passed AB 1355, which clarifies the existing exemption for personal information related to the Fair Credit Reporting Act (15 U.S.C. § 1681) (the “FCRA”). The CCPA currently does not apply to personal information sold to or from a consumer reporting agency if such information is reported or used in a consumer report and covered by the FRCA. AB 1355 clarifies the exemption to apply to activity by consumer reporting agencies, furnishers of information, or users of consumer reports concerning personal information related to a consumer report. Such information includes that “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living….” The FCRA exemption applies to activity that is regulated under the act and is not “used, communicated, disclosed, or sold except as authorized by the [FCRA].” Information covered by this exemption is subject to the CCPA’s private right of action provision.
Differential Treatment of Consumers. AB 1355 also modifies the “value test” in the CCPA’s non-discrimination provisions. Prior to this amendment, the CCPA prohibited discrimination against consumers exercising CCPA rights unless the difference in prices or rates charged or the level or quality of goods or services provided to these consumers was “reasonably related to the value provided to the consumer by the consumer’s data.” This “value test” has been criticized for requiring businesses to complete an impossible task – determining the value of a consumer’s data to each individual consumer. AB 1355 alleviates this situation by clarifying that a business may require consumers who exercise their CCPA rights to pay a different price or rate or provide a different level or quality of goods or services if the difference is “reasonably related to the value provided to the business by the consumer’s data.”
Specific Pieces of Information Clarified. The CCPA requires businesses that collect personal information about consumers to disclose in their privacy policy the specific pieces of personal information collected about consumers. AB 1355 revises the CCPA to require businesses to disclose that a consumer has the right to request the specific pieces of personal information collected about that consumer. This also makes clear that the obligation in Section 1798.110(a) to disclose the “specific pieces of information” requires the business to disclose a copy of the information, not a description.
Methods for Submitting Consumer Requests. The CCPA requires businesses to make two or more methods available for a consumer to submit requests pursuant to Cal. Civ. Code §§ 1798.110 and 1798.115. Now, pursuant to AB 1564, businesses that operate exclusively online and have a “direct relationship with a consumer from whom” the business collects personal information may provide an email address to support the submission of requests under section 110 and 115 in lieu of a toll-free telephone number. (Note that the underlying requirements to have two channels for requests and the amendments via AB 1564 do not apply to requests submitted pursuant to Cal. Civ. Code §§ 1798.100 or 1798.105.) Businesses that maintain a website must still make a website available for requests. The amendment also provides that businesses may choose, but are not obligated, to require consumers that have business accounts to submit requests through the accounts.
In addition, AB 1564 clarifies that businesses may verify the identity of consumers who make requests in a reasonable manner considering the nature of the information requested. Businesses may impose more comprehensive or strenuous identity verification processes for consumer requests concerning sensitive personal information.
Private Right of Action. The CCPA’s current language of “nonencrypted or nonredacted” would allow for a private right of action if the personal information involved was either nonencrypted or nonredacted. In other words, businesses would have to both encrypt and redact personal information to avoid liability. AB 1355 amends the CCPA’s private right of action provision for certain security incidents to apply to personal information that is “nonencrypted and nonredacted.” The amendment allows businesses to defend against a civil action by either encrypting or redacting personal information.
The California legislature also recently passed a bill that impacts the CCPA’s private right of action provision by amending California’s data security law. The CCPA’s private right of action applies to personal information as defined in California’s data security law (Cal Civ. Code § 1798.81.5). California passed Assembly Bill 1130 expanding the categories of personal information covered by the data security law and thereby expanding the data elements covered by CCPA’s private right of action.
Although all amendments discussed above have been passed by the California legislature, the format of the final amendments’ text is undecided. Before the amendments were passed, each bill was revised to incorporate changes proposed by other amendments upon enactment (e.g., AB 1355 incorporates amendments proposed in ABs 25, 874, 1146, and 1564). The final text of the amendments depends on the order in which the bills are enacted. We will provide a link to the final text once the order of enactment has been determined.