On October 11th, 2019, the California governor adopted some noteworthy amendments to the California Consumer Protection Act (CCPA), resulting from the lobbying of both businesses and consumer groups. The CCPA aims to give consumers control over the collection, distribution, and use of their data. In this summary, we outline the amendments that passed and analyze how that impacts the compliance efforts of affected organizations.
Given CCPA’s passed deadline of January 1st, 2020, businesses should take time to proactively understand how the changes might affect them and then take the appropriate measures to comply now. Although most of the core aspects of the law remained intact, there have been some significant changes to this groundbreaking privacy legislation, prompted by pushback from business interests.
AB-25 clarifies that personal information collected by businesses are exempt from the CCPA for hiring, employees, contractors, or other staff members. A significant limitation of this exemption is that it sunsets on January 1st, 2021.
Even though the draft regulations stipulate that a toll-free phone number must be one of the contact methods offered for requests to know, AB-1564 makes an exception for businesses that operate only online and have a direct relationship with the consumer from whom information is collected. These businesses may provide an email address, instead of operating a toll-free phone line. Companies that maintain websites are also required to provide a site for submitting requests.
The B2B exemption applies to information provided by a business contact in a professional capacity. If this contact offers his/her personal information within the context of the business conducting due diligence regarding, or providing a service to the business of the contact, this data is exempt from several CCPA provisions. Companies are not required to notify, give access, or delete information on file to their company contacts. The exemption doesn’t apply to business contacts who demand that their data not be sold to third parties. Customers are also protected under anti-discrimination obligations, meaning the business cannot treat them differently if they decide to exercise their rights under the law. Similarly to employee information, this exemption ends on January 1st, 2021.
The B2B amendment also clarifies the relationship between the CCPA and the Fair Credit Reporting Act (FCRA). Consumer reporting agencies that are authorized by the FCRA to collect, disclose, sell, communicate, or maintain information about a consumer’s creditworthiness—including information relating to a consumer’s credit capacity, character, general reputation, personal characteristics, mode of living, or credit standing—are not subject to the CCPA. Furthermore, the law does not apply to organizations providing information to consumer reporting agencies or users of consumer reports.
Definition of Personal Information
The definition of “personal information” was modified under AB-874 to infer information that is “reasonably” associated with a consumer or household. The amendment explicitly exempts any data that has been “de-identified,” thus removing connections that tie specific pieces of information to individuals, on top of aggregate consumer information, or information obtained from public government records—regardless of the purpose. Therefore, businesses that rely on de-identified or aggregate consumer information need to analyze the CCPA’s definition of those terms carefully.
The last amendment relates to “data brokers”—who collect and sell personal information on consumers with whom they do not have a direct relationship. The definition of a “direct relationship” is not clearly defined. However, the legislation implies that the direct relationship forms when consumers visit a business’s premises or website—like, for example, when consumers intentionally interacting with online advertisements or knowledge and control over the business’s collection of their data.
Data brokers are required to disclose information regarding data collection practices, contact information, register with the Attorney General, and pay a fee. The Attorney General will publish and maintain the information in a public database. Failure to complete the requirements could result in penalties of $100 per day.
AB-1146 looks at the right to opt-out of sale in the context of the automotive industry. It exempts consumer information that is transferred from automotive dealers to vehicle manufacturers if the manufacturer’s warranty covers the vehicle repairs. Consumer requests for companies not to share their data between dealers and makers may be denied if the data is necessary for businesses to fulfill the terms of a written warranty or product recall.