On October 11, 2019, Governor Gavin Newsom signed into law five bills that directly amend the California Consumer Privacy Act (the “CCPA”) – AB 25, AB 874, AB 1146, AB 1355 and AB 1564. In addition, Governor Newsom signed two other bills related to data privacy, AB 1202 and AB 1130. The Governor’s signature came the day after California Attorney General Xavier Becerra released proposed regulations governing compliance with the CCPA. Ropes & Gray’s recent Alert describing the proposed regulations is available here.
A detailed discussion of the amendments to the statutory text of the CCPA is available in a prior Ropes & Gray Alert. In summary, the amendments revise the CCPA in the following key ways:
- Employee and B2B Exemption: AB 25 and AB 1355 together remove employee and business contact information from a significant amount of CCPA coverage, but they do so for only one year (from January 1, 2020 until January 1, 2021). Even after the amendments, however, some aspects of the law – most notably the requirements to provide notice and the CCPA’s data breach cause of action – remain in place with respect to these categories of California residents.
- Clarification of Right to Access: AB 1355 clarifies that consumers’ right to access any personal information that a company has collected about them in the past year does not require the business to retain any personal information that it would not otherwise retain in the ordinary course of business.
- Publicly Available Information: AB 874 removed a carve-out from the definition of “publicly available” information that applied if a business used such information in a way that was “not compatible” with the purpose for which the information was made available by the government. It also expressly exempts de-identified or aggregate information from the definition of personal information.
- Vehicle Warranties and Recalls: AB 1146 exempts vehicle information and vehicle ownership information that is retained or shared by dealers for warranty or recall purposes.
- Method of Access/Deletion Requests: AB 1564 amends the requirements as to the methods that businesses may provide for consumers to submit access or deletion requests. While retaining the general rule that most businesses must provide a toll-free number as one of two methods to make a request, the amendment allows businesses that operate exclusively online to use only one method – an email address – for submitting requests. This law will potentially require revisions to the proposed regulations, as the regulations do not contemplate the online-only development.
In addition to the CCPA amendments, the Governor signed the following two privacy-related bills into law:
- Data Breach Notification: AB 1130 expands the types of personal information covered by California’s breach notification and “reasonable security” statutes to add two categories of information: (1) additional specification of governmental identifiers and (2) unique biometric data generated from measurements or technical analysis of human body characteristics. The CCPA provides a private right of action to individuals whose nonencrypted or nonredacted personal information (as that term is defined, in part, in California’s existing “reasonable security” statute) is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices. Expanding the definition of personal information for the CCPA’s private right of action increases the likelihood that consumer information subject to a breach would fall within its scope, potentially leading to additional exposure for businesses. The private right of action affords statutory damages of $100 to $750 per consumer per incident.
- Data Broker Registration: AB 1202 requires data brokers to register with, and provide certain information to, the Attorney General. Data brokers are defined as businesses that knowingly collect and sell to third parties personal information of a consumer with whom the business does not have a relationship. The law requires the Attorney General to create a publicly available registry of data brokers on its website, and it grants the Attorney General enforcement authority for violations.
While the passage into law of these bills has provided greater clarity around the scope and application of the CCPA, some vagueness and uncertainty remain. The Attorney General, who is also tasked with enforcing the CCPA, may revise the recently released draft regulations to address some of these issues or otherwise modify the proposed regulations to reflect public comment.
It is not clear if the regulations will be finalized prior to the January 1, 2020 date when the core provisions of the CCPA become operational, leaving in-scope businesses with the need to try to comply with the law under the guidance currently available, unless some sort of compliance extension is granted. In addition, if the new California ballot initiative successfully makes substantial alterations to the law (see Ropes & Gray’s recent Alert describing the ballot initiative), the evolution of the CCPA will continue.