California has just adopted some significant amendments to the California Consumer Protection Act (CCPA). McDermott Will and Emery’s Michael Morgan and Wendy Zhang analyze the six amendments that just passed (and one that didn’t).
Pushback from business interests – many of them based in Silicon Valley – has prompted California to make changes to its groundbreaking privacy-protection legislation, which takes effect at the start of the new year.
An analysis of the amendments to the California Privacy Protection Act (CCPA) finds that, while they are noteworthy, they leave most of the core aspects of the law intact. Even so, given the short time remaining before January 1, 2020, businesses that are subject to the law should understand how they will be affected and should take proactive and appropriate action to comply.
The CCPA, which was passed by the state legislature at the end of June 2018, seeks to give consumers control over the way large corporations collect, use and distribute their personal data.
As a result of input from concerned businesses and consumer groups, the California legislature passed six bills amending the CCPA on the final day of the 2019 session. Governor Gavin Newsom is expected to sign those bills into law by the October 13 deadline.
Analyzing the Amendments
The first amendment exempts some information about a business’s workforce. With the amendment, the CCPA will not apply to personal information a company collects about people who apply for jobs, or about employees, contractors and other staff members. This amendment, which was the most watched, means employers may continue to collect and retain personal information (including emergency contact information and information necessary for the administration of benefits) about their workers and those who aspire to work for them.
Businesses will still be required to give privacy notices to their employees, contractors and job applicants detailing the types of personal information being retained about them, but they will not have to provide these individuals with access to that information, nor must they allow them to opt out of having it sold to third parties or comply with demands that it be deleted.
There is an important limitation, however: This exemption will sunset on January 1, 2021. That means the California legislature will need to revisit this issue next year and decide at that time whether to keep the exemption in place or to consider more comprehensive employee-privacy legislation.
The second amendment, which deals primarily with business-to-business transactions, exempts personal information collected by companies when they are communicating or conducting transactions with other companies, including when they are performing due diligence or providing or receiving products and services. The exemption applies when the information is imparted by a business contact who is not acting on their own personal behalf, but in their capacity as an employee, owner, director, officer or contractor of another business.
Companies will not be required to notify other company contacts they are keeping their information on file, nor give them access to that information or the opportunity to have it deleted.
The amendment does not, however, stop business contacts from demanding that their information not be sold to third parties. Nor does it negate the business’s anti-discrimination obligation, which prevents a business from treating customers, including business customers, differently when they choose to exercise their rights under the law.
As with the employee exemption, this exemption will sunset on January 1, 2021. Even though companies have been given more leeway in handling information they collect during business-to-business transactions, they should still be careful about how they construct and share marketing or other lists containing the data of business.
This amendment also clarifies the relationship between the CCPA and the Fair Credit Reporting Act (FCRA). Specifically, the CCPA will not apply to activities authorized by the FCRA that allow consumer reporting agencies to collect, maintain, disclose, sell or communicate information about a consumer’s credit worthiness. This includes the customer’s credit standing, credit capacity, character, general reputation, personal characteristics or mode of living. Nor will the law apply to the people or entities that provide information to consumer reporting agencies or to the users of the consumer reports.
This amendment also clarifies that, as businesses attempt to comply with the CCPA, they are not required to collect or retain personal information they would not otherwise obtain and store in the ordinary course of their business.
The amendment also clarifies that businesses are not required to comply with a consumer’s request for disclosure about their personal information being stored until the business has verified the consumer’s identify. It clarifies that the verification of identity should be reasonable in light of the personal nature of the information requested, and that consumers who already maintain accounts with businesses may be required to submit their request through those accounts. While the amendment grants flexibility to businesses in creating their own verification procedures, we expect further guidance on verification requirements to be part of the Attorney General’s rulemaking process, which will result in the issuance of regulations on or before July 1, 2020.
Consumer requests, particularly for access and deletion, introduce obvious privacy and security concerns. An individual’s personal information could be inadvertently shared with people in their own household as a result of requests by other family members. It could be subject to unauthorized requests by identity thieves. Fraudsters might try to exploit weaknesses in the authentication procedures to obtain the personal information of potential victims.
For those reasons, businesses will need to carefully consider how to best verify a consumer’s identity, and the impact of the request itself, as they comply with the CCPA. This process will be especially challenging for companies with respect to individuals who establish an authentication mechanism with the business, such as would ordinarily occur when an individual opens an account.
The third amendment modifies the definition of “personal information” under the CCPA to mean information that is “reasonably” capable of being associated with a consumer or household. This amendment explicitly exempts any data that has been “de-identified” or expunged of markers that tie it to specific individuals, as well as aggregate consumer information and information obtained from public government records (regardless of the purpose of using the information).
Businesses that intend to rely on the exclusion of de-identified or aggregate consumer information when storing information about consumers will need to carefully examine the CCPA’s definitions of those terms.
The fourth amendment is about vehicle information and exempts some of the consumer information transmitted between automotive dealers and vehicle manufacturers when vehicle repairs are covered by a manufacturer’s warranty. Consumers will not be able to prevent their personal information from being shared between dealers and car makers, nor demand that it be deleted, if the information is necessary for the businesses to fulfill the terms of a written warranty or product recall.
The fifth amendment addresses the ways in which consumers can make requests for their information and clarifies that business are generally required to provide at least two methods of contact, including a toll-free telephone number. If the business operates exclusively online and has a direct relationship with a consumer, it will need to provide only an email address for submitting the requests. If the business maintains a website, it will be required to provide a website for submitting requests.
The sixth amendment, which relates to “data brokers,” is not technically part of the CCPA, but sets rules for businesses that collect and sell personal information about consumers with whom they do not have a direct relationship. “Direct relationships” are not specifically defined, but the legislation suggests they can be formed when consumers visit a business’s premises or website, when they intentionally interact with a business’s online advertisements or when they have some level of knowledge or control over the business’s collection of their data.
Data brokers will be required to register with the Attorney General and will have to pay a fee and disclose both their contact information and information regarding their data collection practices. This information will be published in a public database maintained by the Attorney General. Failure to register could subject the data broker to injunctions and penalties of $100 per day.
Those are the six amendments passed by the California legislature.
A seventh amendment about customer loyalty programs failed. It would have clarified that the CCPA does not prohibit businesses from offering consumers who participate in their voluntary loyalty or rewards programs a different set of prices, rates, levels or quality of goods or services than is offered to other consumers. It would have also prohibited businesses from selling personal information collected as part of loyalty or rewards programs to third parties unless the consumer provided express consent and the third party used the information only for purpose of identifying the consumer as an eligible member of the program.
Based on the text of the law, the regulations created by the Attorney General can be expected to include updating definitions and categories of personal information, establishing additional exemptions and establishing additional rules and procedures related to consumer information requests, opt-out requests and compliance with notice requirements.
The Attorney General can begin enforcement of the CCPA six months after the publication of the regulations or July 1, 2020 – whichever comes first. But the enforcement actions will most likely consider compliance going back to the January 1, 2020 effective date.
Therefore, with the expectation that Governor Newsom will sign these bills into law, it would be prudent for businesses to evaluate carefully how they apply to their operations and implement any necessary changes sooner rather than later.