As the clock ticked to the close of California’s 2019 legislative session on Friday the 13th, the California legislature passed several noteworthy amendments to the California Consumer Privacy Act (CCPA). Both the Senate and the Assembly passed five bills to amend the CCPA—AB 25, 874, 1146, 1355, and 1564. If signed by the Governor, these pieces of legislation will alter the scope of the CCPA, most significantly by (albeit temporarily) removing employees from most provisions and materially narrowing its application to business-to-business (B2B) contacts. This alert reviews the changes that each of these bills propose.
Removing Employee and Business Contact Information from CCPA Coverage—Temporarily
For businesses that collect little to no information from retail customers or other individuals that fit within the conventional concept of a consumer, AB 25 and AB 1355 could together have a significant impact. Taken together, these bills would remove personal information from employees and certain business contacts from most CCPA coverage. A one-year sunset clause makes these amendments inoperative on January 1, 2021, requiring the California legislature to come up with a more permanent solution or revert to the original CCPA text. Additionally, the exemptions do not apply to the CCPA’s data breach cause of action, with potential statutory damages of $100 to $750 per consumer per incident.
AB 25 is the most prominent bill, and it proposes several amendments to the CCPA. Most notably, it excludes from most of the CCPA’s key provisions any information that is collected about employees, job applicants, owners, directors, staff, officers, and contractors, as well as any emergency contact information those individuals provide to the business. Businesses would also still be required to provide employees with notices about what categories of information a business collects about them and their purpose for doing so, but they would not need to offer opt-out, access, and deletion rights.
AB 1355 adds an exemption for business contact information that a business collects during communications or transactions with another business or government agency (B2B transactions). Specifically, AB 1355 would exempt from most of the act’s provisions personal information about an employee, owner, director, officer or contractor of a business or government agency collected by a business as part of B2B transactions, in the context of due diligence of, or the provision of products or services to, the business or agency. The exemption does not exclude all B2B information, but it may exclude much of it. The exemption also does not apply to the right to opt out of the sale of a consumer’s data or obligation not to discriminate against a consumer for attempting to exercise other rights. AB 1355 also helpfully clarifies that consumers’ right to access any personal information that a company has collected about them in the past year does not require the business to retain any personal information that it would not otherwise retain in the ordinary course of business.
Clarifying What Counts as Personal Information
Two other amendments—AB 874 and AB 1146—provide additional clarifications on what personal information is covered by the CCPA.
AB 874 removes a carve-out from the definition of “publicly available” information that applied if a business used such information in a way that was “not compatible” with the purpose for which the information was made available by the government. That carve-out could have potentially affected businesses using government data to provide information services, and its removal should provide such businesses with comfort that their activities will not be materially impacted by the CCPA. AB 874 also expressly exempts de-identified or aggregate information from the definition of personal information. The CCPA already stated that its obligations should not restrict a business’s ability to collect, use, retain, sell, or disclose de-identified or aggregated information. The amendment may lessen confusion as to whether any of the CCPA’s substantive provisions might still apply to such information. Finally, the amendment clarifies part of the definition of personal information to state that information capable of being associated with an individual or household must be “reasonably” capable of being associated with the consumer or household.
AB 1146 exempts vehicle information and vehicle ownership information that is retained or shared by dealers for warranty or recall purposes. Vehicle information is defined to include VIN as well as make, model, year, and odometer reading. Vehicle ownership information includes the name and contact information for the owners. Such information may be shared, provided that the dealer or manufacturer receiving the information does not sell, share, or use it for any other purpose.
Modifying the Methods for Consumers’ Access or Deletion Requests
Lastly, AB 1564 amends the requirements as to the methods that businesses may provide for consumers to submit access or deletion requests. The text of the CCPA as enacted required businesses to provide at least two methods, including both a toll-free number and, if the business maintained a web site, a web address. The amendment adds that, for businesses that operate exclusively online and have a direct relationship with a consumer from whom it collects personal information, only one method—an email address for submitting requests—is required. The amendment originally added a physical address option, but that was removed before it was passed. This will avoid forcing online companies to open toll-free numbers to comply with the CCPA.
Unsuccessful CCPA Amendment
One additional amendment, AB 846, was ordered to the inactive file at the end of the legislative session. This amendment would have permitted loyalty programs that offer a benefit to customers who voluntarily participate and provide their personal information in spite of the CCPA’s general nondiscrimination protection. The amendment, originally proposed by industry, was hit with a poison pill amendment that prohibited the sale of data from loyalty program members, resulting in industry pulling its support of the amendment.
Non-CCPA Amendments That Could Affect the CCPA
An additional bill, AB 1130, which passed both houses of the legislature last week, would also clarify application of the CCPA’s private right of action for security breaches. If the Governor signs the legislation, AB 1130 would expand the types of personal information covered by California’s breach notification statutes to add two categories of information: (1) additional specification of governmental identifiers, such as a tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; and (2) unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.
AB 1130 would be significant for the CCPA, because the CCPA provides a private right of action to individuals whose nonencrypted or nonredacted personal information is subject to a breach as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices. As mentioned above, under the CCPA, each affected consumer may seek to recover $100 to $750 in damages per incident. Expanding the definition of personal information in the breach notification statute increases the likelihood that consumer information subject to a breach would fall under the CCPA, potentially leading to additional liability for businesses.
For more information on the CCPA or to discuss privacy or data security issues generally, please contact a member of our Data Practice group or visit https://www.ropesgray.com/CCPA.