Alert September 25, 2019

What A Long Strange Trip It’s Been: California Legislature Passes Key CCPA Amendments

In the waning days of the legislative session, the California Legislature this month passed several notable measures amending the California Consumer Privacy Act (CCPA). While the Legislature surprised many by rejecting a number of industry-backed proposals, the amendments, which still require the Governor’s signature, will materially reduce compliance obligations for many companies subject to the statute.

Employee Privacy

As anticipated, the Legislature passed AB 25, which clarifies the extent to which the CCPA applies to personal information relating to job applicants, employees and contractors (Employee Information), but solely in the context of the employment or contractor relationship. The changes set forth in AB 25 exclude Employee Information from most provisions of the statute (including access, deletion and opt-out rights) until January of 2021, when the exemption sunsets. Companies will still be required to provide notice to employees of how Employee Information will be collected and used. Furthermore, California residents affected by a privacy or security breach involving Employee Information will still be able to enforce a private right of action and seek statutory damages. The one-year sunset term offers further opportunity for companies as well as labor and privacy advocates to continue to seek further changes and negotiate complicated questions regarding access rights that may be asserted by employees who suspect they may be the focus of a complaint or investigation, as well as similar issues associated with employees who wish to exercise deletion rights in the employment context.

Business-to-Business (B2B) Data Processing

AB 1355, a heavily negotiated “technical amendment,” includes a one-year delay on implementation of the notice, access and deletion requirements for personal information processed in the “B2B” context. Specifically, it exempts personal information obtained directly from a “communication or a transaction with a California resident acting on behalf of a business, non-profit, or government agency” from the CCPA for one year. AB 1355 does not, however, exempt a business from its duty to maintain reasonable security procedures to protect such information, and businesses will still be subject to the private right of action for data breaches involving B2B personal data. The bill also does not delay the application of the right to request an opt-out from the sale of B2B personal data. Notwithstanding these caveats, AB 1335’s B2B exemption will significantly reduce the compliance burden for many businesses.

AB 1355 would also: 

  • Narrow the definition of personal information by adding “reasonably” before “capable of being associated with,” which results in a narrowed definition of information from that which was theoretically capable of being associated with a California resident, to that which is only “reasonably” capable of being associated with such resident.
  • Clarify that personal information that has been encrypted or redacted is exempt from class action suits in the event of a data breach, as opposed to the previous drafting which required personal information to be both encrypted and redacted to qualify for the exemption.
  • Broaden the Fair Credit Reporting Act (FCRA) exception, by which the CCPA exempts “the sale of personal information to or from a consumer reporting agency” if that information is to be reported in, or used to generate, a consumer report” and the use of the information is limited by the FCRA. The amendment clarifies that the exception applies more broadly to “any activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information” by a consumer reporting agency, by a furnisher of data and by a user of a consumer report, if the activity is “authorized by” the FCRA. The amendment clarifies that CCPA, except for the reasonable security obligation class-action right, will not apply to FCRA-authorized data activities.
  • Clarify that the CCPA does not require a business to collect personal information that it would not normally collect, nor store information for any period of time longer than it would otherwise keep personal information in the normal course of business. The amendment makes it clear that businesses are not required to take additional steps to collect or keep data in a different manner or for a longer period of time than it would with its standard business practices in order be able to respond to consumer requests.
  • Clarify that the CCPA’s anti-discrimination provision (which prohibits companies from charging more or denying services to consumers who exercise their CCPA rights) permits differential treatment of consumers who exercise CCPA rights from those that do not exercise those rights, provided any difference “is reasonably related to the value provided to the business by the Consumer’s data.” Under the original CCPA language, any difference in treatment had to be reasonably related to the value provided to the consumer by the consumer’s data.

The amendments agreed to in AB 1335 can be considered business-friendly while still maintaining core rights for consumers.

Other Notable CCPA Amendments That Have Cleared the Legislature Include:

  • AB 874, which expands the CCPA exception for publicly available government record information. Under the amendment, information that is lawfully made available in federal, state or local government records will be considered “publicly available” information, which is excluded from the definition of personal information. As a result, businesses that rely on information obtained from government records will not be subject to CCPA for these activities.
  • AB 1146, which exempts vehicle and ownership data relating to warranty and recall repairs from the CCPA’s deletion and opt-out rights. Dealerships and manufacturers can freely share vehicle owner name and contact information, vehicle identification number (VIN), make, model, year, and odometer readings in order to contact consumers about warranty work, recalls or safety alerts without the personal information being subject to the deletion and opt-out rights.
  • AB 1202, which requires “data brokers” (defined as businesses that collect and sell personal information to third parties) to register with the California Attorney General’s Office on an annual basis. The Attorney General will in turn post information about the broker on its website. The database will be available to the public so that consumers can see who has their information, who sells it, and can opt out and request deletion of their data. Failure to register will result in penalties and fines, which will be deposited in the Consumer Privacy Fund. Advertisers, marketing list brokers and other similar business are subject to these requirements. AB 1202 does not technically amend CCPA but rather will be codified in a separate section of California law.
  • AB 1564, allowing businesses that “operate exclusively online” and have “a direct relationship with a consumer” to receive CCPA rights requests through an email address, rather than a toll-free telephone number. AB 1564 does not define what it means to operate “exclusively online” nor does it indicate what constitutes a “direct relationship with a consumer.” As a result, it is not clear if app developers fall within the “exclusively online” criteria, nor is it clear whether a user who interacts with an app, particularly one that is available through an app store, has a “direct relationship” with the consumer. However, since most businesses who develop and offer apps do not also offer a “brick-and-mortar” storefront or experience to their users, and app stores (such as iTunes and Google Play) merely enable the business relationship between the app developer and the consumer, it is a reasonable interpretation that AB 1564 permits app developers and other companies who do not have a brick-and-mortar presence to provide only an email address through which subjects can make requests.

Governor Gavin Newsom has until October 13 to sign the bills. We will continue to monitor developments, including the anticipated publication of the proposed and final implementing regulations by the Attorney General.

Authors and Contributors:

Karen L. Neuman
David S. Kantrowitz
Eric DiIulio
Allyson Maur

To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Brenda R. Sharton, partner and Chair of the Privacy & Cybersecurity practice, or Karen L. Neuman, partner and privacy lead in Washington, DC.

Goodwin's Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security, a Legal 500 “Leading Lawyer” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as four other Legal 500 Cyber Law ranked partners, several former federal prosecutors, and multiple GDPR, CCPA, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.