Recent Developments to the California Consumer Privacy Act: How They Impact Your Organization’s Compliance Efforts

As the California Consumer Privacy Act’s (CCPA) January 1, 2020 compliance due date rapidly approaches, organizations have been trying to keep up with the changes to the CCPA. Recently, there were seven new amendments that impact the CCPA and scope of existing data privacy laws, as well as draft regulations released by the California Attorney General governing the implementation of the CCPA. Compliance with the CCPA requires action now.

On October 11, 2019, California’s Governor Gavin Newsom signed seven new bills which amended the CCPA and changed the scope of existing data breach notification laws. Notable highlights are discussed below. For a full text of these amendments, click here.

• AB-25 excluded employee data from the definition of a consumer under the CCPA, exempting employee data from a consumer’s right to access, deletion, and opt-out. This exemption applies to personal information about employees, job applicants, owners, directors, staff, officers, and contractors that are utilized solely in the context of those roles. Although this is welcome news for many employers, there are limitations: it is temporary in nature with a one-year sunset provision that makes this amendment inoperative on January 1, 2021, and organizations are still required to provide employees with appropriate notices about their personal data. In a separate provision, this amendment also authorized a business to require authentication of the consumer that is “reasonable” in order to make a verifiable consumer request.
• AB-874 established that “publicly available information” as well as de-identified or aggregate consumer information are not “personal information” subject to the CCPA.
• AB-1130 broadened the definition of personal information under the existing data breach notification statute by adding two categories of data: biometric information and specified government-issued identifiers, such as tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
• AB-1146 excepted from a consumer’s right to opt out, information of a vehicle and vehicle’s ownership between a new motor vehicle dealer and vehicle manufacturer for purpose of vehicle repair covered by a warranty or recall. The definition of vehicle information includes the vehicle information number, make, model, year, and odometer reading; and the definition of vehicle ownership information includes the name and contact information for the owners.
• AB-1202 created a new “data broker” registry with the California Attorney General for data sellers. A “data broker” is defined as a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship”; however, how this is implemented by data brokers/organizations will require further clarification.
• AB-1355 allowed differential treatment of a consumer if that treatment is reasonably related to the value provided to the business by the consumer’s data, subject to certain limitations. This amendment may address an organization’s loyalty programs, such as membership rewards programs and other financial incentives. AB-1355 also significantly limited the application of the CCPA provisions to business-to-business (B2B) communications by exempting personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or communication, or a transaction between the business and consumer within the context of the business conducting due diligence or providing or receiving a product or service, as further specified in this amendment.
• AB-1564 modified the operational methods that a business makes available to consumers to submit data requests.

In addition to these amendments, the California Attorney General recently released draft regulations to provide clarity and guidance regarding enforcement of the CCPA. The draft regulations set forth guidance regarding the notices businesses should provide to consumers under the CCPA including additional categories of data in businesses’ online privacy notices that were not previously specified in the CCPA. Other provisions in the Attorney General’s draft regulations addressed businesses’ practices for handling consumer requests, businesses’ practices for handling the personal information of minors, and businesses’ financial incentives offered to consumers. Several of the proposed regulations will require businesses to update their privacy notices and their data collection processes.

These draft regulations are open for public comment, with public hearings going on this week from December 2-5, 2019. We will update you with further information as we receive them following these hearings.

Once the final regulations are adopted, they are intended to “implement, interpret and make specific” the provisions of the CCPA, pursuant to the Attorney General’s rulemaking authority under the CCPA. For the full text of these draft regulations, click here.

As organizations prepare for CCPA compliance, businesses should consult with a knowledgeable privacy counsel to evaluate whether and how these changes apply to your organization.

To learn more about these changes and for assistance with your organization’s compliance efforts, please contact Sue S. Junn and Charles Russman.

ASSET360, a Cyber & Defense Practice that combines the firm’s Cybersecurity and Data Privacy, Information Governance, Reputation & Crisis Management, and White Collar Crime & Government Investigations teams, provides a ‘single-team’ comprehensive approach to a company’s most complex and challenging cyber and defense issues worldwide. These multidisciplinary attorney teams are also imbedded with cybersecurity, crisis management, and intelligence professionals providing clients a stronger and interconnected defense against operational threats and complex legal situations.