Update: On October 11, 2019, California Governor Gavin Newsom signed into law the five CCPA amendment bills outlined below.
***
With the passage of several bills that would amend the California Consumer Privacy Act of 2018 (CCPA) in the final hours of California’s legislative session, businesses are one step closer to knowing what the law will look like when it becomes operative on January 1, 2020. The amendments usher some business-friendly provisions, including a partial exemption for personal information (PI) pertaining to job applicants, employees, owners, directors, officers, medical staff, or contractors of a business (though there is a one-year sunset provision for this exemption and it does not apply to CCPA’s private right of action), and a partial one-year exception for PI collected in the context of certain business-to-business (B-to-B) transactions.
As we previously reported, several CCPA amendment bills cleared a key procedural hurdle when they passed Senate Judiciary Committee votes in July 2019. In the lead-up to the close of the legislative session on September 13, 2019, all but one of these bills passed full Senate votes and their Senate amendments were concurred in the Assembly, leaving Governor Gavin Newsom’s signature as the final step to enactment. Below is an overview of the bills that passed both houses of the legislature and are headed to the governor’s desk:
- B-to-B Exception and Clarifying Various Drafting Errors: A.B. 1355, which, as originally drafted, would clean up and clarify a number of the CCPA’s drafting errors, was significantly amended following our July 2019 update and now contains a broad, one-year moratorium on “consumer” PI obtained in the context of certain B-to-B communications or transactions. In its final form, the bill:
- Introduces a one-year moratorium (that expires on January 1, 2021) on most of the CCPA’s individual rights – with the exception of the rights to opt out of sale and non-discrimination – as they pertain to B-to-B consumers. The moratorium applies when each of the following conditions are met:
- The PI reflect a written communication, verbal communication, or transaction between the business and consumer;
- The consumer is acting as an employee, owner, director, officer, or independent contractor of an entity; and
- The communication or transaction occurs solely within the context of (a) the business conducting due diligence regarding the entity, or (b) the business providing or receiving a product or service to or from the entity;
- Clarifies that use or disclosure of PI by a consumer reporting agency, furnisher of information to a consumer reporting agency, or user of a consumer report is exempt from the statute, so long as that activity is regulated by the Fair Credit Reporting Act. This exemption does not apply to the CCPA’s private right of action, which permits a consumer to sue a business if his or her non-encrypted or non-redacted PI is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable safeguards;
- Modifies the definition of PI to include information that is “reasonably capable of being associated with” a particular consumer or household, rather than “capable of being [so] associated”;
- Clarifies that de-identified and aggregated PI are exempt from the CCPA’s scope;
- Clarifies that the CCPA’s private right of action is available to individuals following data security incidents involving their unencrypted and un-redacted PI (i.e., if the impacted PI is either encrypted or redacted, the business will avoid liability under the statute’s private right of action); and
- With respect to non-discrimination, clarifies that the reasonableness of a business charging a consumer a different price or rate, or providing a consumer a different level or quality of goods or services, is measured according to the value of the PI to the business, not to the consumer.
- Employee Exception: A.B. 25 would exempt PI pertaining to job applicants, employees, owners, directors, officers, medical staff, or contractors of a business from much of the scope of the CCPA (provided that such information is collected and used “solely within the context of the person’s role” as an employee, applicant, etc.). As previously amended by the Senate in July, the final bill includes a one-year sunset provision – it will expire on January 1, 2021 – as well as a requirement that businesses provide such persons with a privacy notice. The prior amendments also clarify that the exemption does not apply to the CCPA’s private right of action.
- Clarifying/Expanding Exclusions from the Statutory Definition of PI: A.B. 874 would expand the exclusions from the statutory definition of PI by defining “publicly available” information as that which is lawfully made available from federal, state, or local government records, and specifying that PI does not include de-identified or aggregate consumer information. In a win for businesses, the exclusion no longer specifies that in order to be considered “publicly available,” the information must be used for a purpose that is consistent with that for which it is publicly maintained – a caveat that rendered the exception largely inoperative.
- Methods for Submitting Consumer Requests: A.B. 1564 would amend the CCPA’s provision dictating the mechanisms that businesses must make available for consumers to submit requests under the Act. In its final form, the bill requires businesses to maintain two designated methods for consumers to submit such requests, including, at a minimum, a toll-free telephone number. The bill provides an exception for businesses that operate exclusively online and maintain a direct relationship with the California residents whose PI they collect; such businesses need only maintain an e-mail address for receiving CCPA requests.
- Motor Vehicle Recall/Repair Exception: A.B. 1146 would exempt from the CCPA’s notice, disclosure, and access obligations, as well as its private right of action, certain information retained or shared between a motor vehicle dealer and the vehicle’s manufacturer if the information is shared in connection with a vehicle repair covered by a vehicle warranty or a recall and other conditions are met.
The other bill that cleared a Senate Judiciary Committee vote in July – A.B. 846, regarding customer loyalty programs – was significantly amended in the Senate before being shelved at the eleventh hour of the legislative session. Its sponsor, Assemblywoman Autumn Burke, indicated that she plans to reintroduce the bill in the next legislative session.
Governor Newsom has until October 13 to sign the five bills outlined above into law, and most pundits anticipate that he will do so. In the event the Governor takes no action by October 13, the bills will become law absent his signature. Separately, we continue to await California Attorney General Xavier Becerra’s rulemaking process; a first draft of the CCPA regulations is expected in fall 2019, following statewide public forums in January – March 2019.
To access MoFo’s full suite of CCPA thought leadership and readiness tools, visit our CCPA Resource Center.