California marked the end of the 2019 legislative session this past Friday, September 13, by passing five out of six pending bills to amend the California Consumer Privacy Act of 2018 (“CCPA”). The bills – AB-25, AB-874, AB-1146, AB-1355 and AB-1564 – now head to California Governor Newsom’s desk for signature, which must occur by October 13 for the bills to be signed into law. The only pending bill not to pass was AB-846, which would have addressed the law’s application to customer loyalty programs; it was ordered to the inactive file at the request of Senator Jackson.
Among the most significant changes the bills would make to the CCPA include: (1) a one-year exemption for HR data and business-to-business customer representative personnel data (from much of the law’s application); (2) changes to the definitions of “personal information,” “publicly available” information and “verifiable consumer request”; (3) limited exemptions for personal information necessary to fulfill a product warranty or recall, or to effectuate a vehicle repair covered by a vehicle warranty or recall; (4) revisions to the private right of action provision; (5) clarifications that a business does not need to retain or collect additional information than it would otherwise do in the ordinary course of business; (6) revisions to the anti-discrimination right; and (7) clarification that a business only operating online needs to only provide an email address as a designated consumer request method.
Below is a summary of the CCPA amendment bills passed by the legislature at this session.
1. AB-25
- HR data exemption: Adds 1798.145(g) to exempt the following from the CCPA’s application, except for § 1798.100(b) (notice provision) and § 1798.150 (private right of action provision):
- (A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.
- (B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.
- (C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.” (Cal. Civ. Code § 1798.145(g)(1)(A-C).
- Adds definitions of “contractor,” “director,” “medical staff member,” “officer” and “owner.” (Cal. Civ. Code § 1798.145(g)(2).
- Adds a one-year sunset clause, specifying that 1798.145(g) would become inoperative beginning January 1, 2021.
- Section 145(g) would not apply to § 1798.100(b) of the CCPA, which provides that “a business that collect’s a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.”
- Section 145(g) would not apply to § 1798.150 of the CCPA, which grants a private right of action to California residents in the event of a data breach that occurs as “a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Therefore, if a business were to experience a data breach affecting the personal information of the categories of individuals enumerated in this exemption, such individuals would still be able to bring a private right of action against the business.
- Identity authentication: Amends § 1798.130(a)(2) to allow businesses to, in response to a consumer request, “require authentication of the consumer that is reasonable in light of the nature of the personal information requested.” Provides that a business shall not require a consumer to create an account with the business to submit a verifiable consumer request, but allows businesses to require the consumer to submit a request through the consumer’s existing account with the business. (Cal. Civ. Code § 1798.130(a)(2)).
2. AB-874
- Definition of “personal information”: Amends definition of “personal information” as follows: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” (Cal. Civ. Code § 1798.140(o)(1)).
- Clarifies that “personal information” does not include “consumer information that is deidentified or aggregate consumer information.” (Cal Civ. Code § 1798.140(o)(3)).
- Definition of “publicly available”: Clarifies the meaning of “publicly available” in the definition of “personal information” as follows: “information that is lawfully made available from federal, state, or local government records. ‘Publicly available’ does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.” (Cal Civ. Code § 1798.140(o)(2)).
3. AB-1146
- Product warranty or recall: Clarifies that the CCPA’s deletion right shall not apply to the extent it is necessary to maintain the consumer’s personal information to “fulfill the terms of a written warranty or product recall conducted in accordance with federal law.” (Cal Civ. Code § 1798.105(d)(1)).
- Vehicle information: Clarifies that the CCPA’s opt-out of sale right “shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer . . . and the vehicle’s manufacturer . . . if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall;” adds definitions of “vehicle information” and “ownership information.” (Cal Civ. Code § 1798.145(g)(1)).
4. AB-1355
- Business-to-business exemption: Adds Section 1798.145(l) to exempt the following from the obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135: “personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.”
- Adds definitions of “contractor,” “director,” “officer” and “owner.” (Cal. Civ. Code § 1798.145(l)(2)).
- Adds a one-year sunset clause, specifying that § 1798.145(l) would become inoperative on January 1, 2021. (Cal. Civ. Code § 1798.145(l)(3)).
- B2B customer personnel would still be entitled to the opt-out of sale right (Section 1798.120), but the opt-out of sale notice provisions in Section 1798.135 would not apply to businesses.
- B2B customer personnel would still be entitled to bring a private right of action under the law (Section 1798.150).
- Notice requirements:
- Clarifies that a business’s privacy policy and any California-specific description of consumers’ privacy rights must disclose (1) “the categories of personal information it has collected about consumers,” as opposed to “that consumer” and (2) “that a consumer has the right to request the specific pieces of personal information the business has collected about that consumer,” as opposed requiring a business to disclose the actual specific pieces of personal information collected about the consumer. (Cal Civ. Code §§ 1798.110(c)(1),(5)).
- Amends Sections 1798.130(a)(5)(A) and 1798.130(a)(6) to clarify that the rights available to consumers under Section 1798.100 and Section 1798.105 would need to be (1) disclosed in a business’s privacy policy and any California-specific description of consumers’ privacy rights and (2) communicated to relevant business personnel responsible for CCPA compliance (e., as part of CCPA compliance training). (Cal Civ. Code §§ 1798.130(a)(5)(A), (6)).
- Data retention and collection: Amends Section 1798.145(i) as follows: “This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.” (Cal. Civ. Code 1798.145(i)).
- Definition of “personal information”: Amends Section 1798.140(o)(2), the definition of “personal information,” to clarify that “personal information,” as opposed to “publicly available,” “does not include consumer information that is deidentified or aggregate consumer information.” (Cal Civ. Code § 1798.140(o)(2)).
- Definition of “verifiable consumer request”: Amends Section 1798.140(y), the definition of “verifiable consumer request,” to state that a business is “not obligated to provide information to the consumer pursuant to Sections 100, 1798.105, 1798.110, and 1798.115 if the business cannot verify . . . that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.” (Cal Civ. Code § 1798.140(y)).
- Opt-in to sale right: Clarifies that, for consumers who are “at least 13 years of age and less than 16 years of age” (excluding children who are 16 years of age), a business must obtain affirmative authorization from the consumer to sell the consumer’s personal information. (Cal Civ. Code § 1798.120(c)).
- Anti-discrimination right: Clarifies that the law’s anti-discrimination provision, Section 1798.125, considers the value provided to the business, as opposed to the consumer, as follows:
- (a)(2) “Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data.”
- (b)(1) “A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.” (Cal Civ. Code §§ 1798.125(a)(2), (b)(1)).
- Private right of action: Amends Section 1798.150(a)(1) to clarify that class-action lawsuits may be brought only for data breaches pursuant to California’s data breach notification law when the personal information is “nonencrypted and nonredacted.” (Cal. Civ. Code § 1798.150(a)(1)).
- FCRA exemption: Amends Section 1798.145(d)(1) to clarify that, with the exception of Section 1798.150, the CCPA shall not apply to “an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.” (Cal Civ. Code § 1798.145(d)(1)).
- Clarifies that Section 1798.145(d)(1) shall apply “only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.” (Cal Civ. Code § 1798.145(d)(2)).
- Stipulates that 1798.145(d)(1) shall not apply to the law’s private right of action provision (Section 1798.150). (Cal Civ. Code § 1798.145(d)(3)).
- Attorney General regulations: Adds Section 1798.185(b)(1) to state that the Attorney General may adopt regulations “[t]o establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns.”
5. AB-1564
- Designated consumer request methods:
- Clarifies that a business must make available to consumers “two or more designated methods” for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at minimum, a toll-free telephone number.” (Cal Civ. Code § 1798.130(a)(1)(A)).
- Specifies that if a business maintains a website, the business must make the website available to consumers to submit requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115 of the CCPA. (Cal Civ. Code § 1798.130(a)(1)(B)).
- Email-only provision: Clarifies that a business that “operates exclusively online and has a direct relationship with a consumer from whom it collects personal information” is required to provide only an email address for submitting requests for information pursuant to Sections 1798.110 and 1798.115 of the CCPA. (Cal Civ. Code § 1798.130(a)(1)(A)).
Visit Hunton’s CCPA Resource Center for the latest on the CCPA, including our CCPA Amendment Bill Tracker.
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code