10 Recent Changes to the CCPA that Businesses Should Know About
Subject data rights for employee data and business-to-business data were narrowed (for a year).
The definition of personal information was clarified; the toll-free number requirement has an exception.
The definition of sale remains unchanged.
The California legislative session is over and the nine-month effort to amend the California Consumer Privacy Act of 2018 (“CCPA”) has concluded. In the end, the California legislature passed five amendments to the CCPA. Although the amendments aren’t final until Governor Newsom signs them into law, the Governor has not given any indication that he intends to veto them and is expected to sign them some time before October 13th. If signed into law, the amendments will go into effect along with the rest of the CCPA effect on January 1, 2020.
Notably, none of the amendments fundamentally change businesses’ core obligations under the CCPA. But they do clarify certain provisions of the law and create important, if narrow, exceptions that may modestly ease compliance burdens for some businesses. Below are ten of the most significant changes, in addition to a few notes about the bills that did not pass and future efforts to further reform the CCPA.
- Information collected from employees, contractors, and job applicants is exempt from the CCPA’s access and deletion requests but comes with caveats.
AB 25 exempts personal information collected from individual employees, contractors, or job applicants within the context of the person’s role as an employee or applicant from most CCPA obligations, including access, deletion and Do Not Sell rights. Employers must still provide employees and applicants with notice of the categories of data they collect and the purposes for which the data will be used. Importantly, the exception for employee data will expire on January 1, 2021. This one-year sunset was added at the behest of labor groups to pressure stakeholders to continue negotiating a broader employee data privacy bill next year. The amendment does not exempt employee information from the CCPA’s private right of action for data breaches resulting from “unreasonable” security.
- Data collected in certain business-to-business contexts is exempt from core CCPA requirements (at least for one year).
AB 1355 exempts communications or transactions between a business and personnel of another entity “within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from” that entity from at least the business’s access and deletion obligations. This type of “B2B data” is not exempted from the sale opt-out obligation—though most businesses likely do not have to provide a Do Not Sell link for such data. While this exception has been colloquially referred to as the “B2B exemption,” it is worth noting that the scope of the bill was tailored to data exchanged between entities during due diligence or in connection with existing products/services; it likely does not carve out lead generation lists or cold communications with prospective customers. The B2B exemption also does not apply to the CCPA’s data breach obligations and the exemption as a whole will expire on January 1, 2021, unless further legislation is passed.
- The term “reasonably” was added to clarify the definition of “personal information.”
Under AB 874, “personal information” is now defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer household.” The addition of the word reasonably makes explicit what most practitioners were already interpreting the definition to mean. Otherwise, the statute would have applied to every piece of data that theoretically could be be associated with a person—no matter how difficult or time-consuming the process or unlikely the possibility. AB 874 also clarifies that “personal information” does not include de-identified or aggregate information.
- The exception for public records was broadened.
AB 874 also alters the application of the CCPA to public records. Now, information that is lawfully made available from government records is not considered “personal information,” even if used for purposes other than those for which it was maintained and made available in the government records.
- The exception for data subject to the FCRA was clarified.
AB 1355 broadened the exemption for credit information collected pursuant to the Fair Credit Reporting Act (“FCRA”) to cover any “activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency.” However, this exemption only applies to the extent that the data is collected and used subject to regulation under the FCRA. The exemption does not apply to the CCPA’s data breach obligations.
- Businesses that operate exclusively online and have a direct relationship with consumers need not provide a toll-free phone number for consumer requests.
The CCPA dictates the mechanisms businesses must offer to consumers for submitting access and deletion requests.While businesses that have a brick-and-mortar presence or no direct relationship with consumers need to provide two designated methods including, at minimum, a toll-free number, AB 1564 safeguards certain businesses that “operate exclusively online” and who have a direct relationship with the consumer from this requirement. Rather such businesses can provide an email address and, if such a business has a website, it must also allow consumers to submit requests through their website.
- Businesses are given more discretion for verifying consumer requests and further guidance is forthcoming.
The CCPA requires businesses to take steps to verify the legitimacy of consumer requests for access and deletion. AB 25 permits businesses to design criteria for verification that are “reasonable in light of the personal information requested.” Although businesses cannot require consumers to create an account in order to make a request, if a consumer does have an existing account with the business, the amendment allows the business to require that the consumer submit their request through that account. The Attorney General’s regulations are required to address consumer verification, so further direction and guidance is expected.
Additionally, AB 1355 clarifies that if a business cannot verify a consumer request, it is not obligated to respond to access or deletion requests. It also makes explicit that in complying with the CCPA, a business cannot be required to either collectpersonal information it would not otherwise collect in the ordinary course of its business or retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.
- Responses to consumer access requests need not identify each third party to whom personal information is sold.
AB 1355 clarifies that upon a verified consumer request, a business need only disclose the categories of personal information that it sold about a consumer and categories of third parties to whom the information was sold, rather than having to identify each third party that received the information.
- Businesses can charge consumers differently and offer consumers financial incentives if the divergent treatment directly relates to the value the consumer’s data provides to the business.
The CCPA’s anti-discrimination provision is clarified by AB 1355. Previously, the CCPA allowed businesses to charge a different rate to consumers if the difference was “reasonably related to the value provided to the consumer by the consumer’s data.” Fixing what appears to have been a drafting error, the amendment enables businesses to charge a different rate if the difference is “reasonably related to the value provided to the business by the consumer’s data.” Similarly, businesses are now permitted to offer “a different price, rate, level, or quality of goods or services” for financial incentives if it is “directly related to the value provided to the business by the consumer’s data.”
- Data that is encrypted or redacted is not subject to the CCPA’s private right of action.
AB 1355’s small tweak to the CCPA’s consumer private right of action provision creates a significant difference for businesses’ potential liability. As amended by AB 1355, if a data breach exposes data that it either encrypted or redacted, it is not subject to the data breach private right of action.
Although these amendments resulted in some changes to the CCPA, many other considered fixes were not implemented. For instance, AB 846, which would have altered the CCPA’s anti-discrimination provision to squarely address loyalty and rewards programs, was shelved for the time being. The legislature also rejected other key issues backed by industry groups, such as changes to the definition of “deidentified information” and exemptions for uses of information for anti-fraud purposes and failed to offer any clarification regarding the CCPA’s definition of sale and application to online advertising—to name a few. With one year sunsets on the exemptions for employment and B2B data, the legislature is certain to return to the CCPA in 2020. These negotiations will likely expand to many of the contentious topics from this session, like those identified above, as well as concerns that are likely to arise as the CCPA takes effect.