CCPA Act II: Amendments Pass California Legislature, Head to Governor’s Desk
The California Legislature adjourned its 2018-19 Session over the weekend with the passage of just six bills amending the California Consumer Privacy Act, which goes into effect January 1, 2020, leaving businesses with only a handful of clarifications to the law, and yet more confusion. The bills are now headed to the desk of Governor Gavin Newsom for signature by October 13, 2019, and, so far, all indications are he will sign all of them.
Below we review the most relevant amendments – both those that graduated from the Legislature and those that failed to pass – and we highlight key takeaways, considerations, and ongoing questions on how to interpret this Act
• PASSED: An exemption that carves out employee data from most (but not all) CCPA requirements. However, this exemption auto-expires at the end of 2020.
• FAILED: The loyalty-program amendment was shelved, which would have carved out certain “sales” of personal information between parties providing loyalty program benefits.
• PASSED: An amendment stating online-only businesses only need to provide an email method of contact to consumers.
• PASSED: Clarifying language expressly indicating that the CCPA does not require a business to collect personal information it wouldn’t otherwise collect or retain personal information it would ordinarily delete.
• PASSED: An exemption that carves out data gathered from B2B communications and transactions from most (but not all) CCPA requirements. This exemption also auto-expires at the end of 2020.
• PASSED: An amendment stating that information gathered from public records is not “personal information” for purposes of the CCPA.
Employee Carve-Out Passes (AB 25)
First, the good news. One bright spot in the Legislature’s activities this past session is an amendment that clarifies that, as a general matter, the Act does not apply to personal information collected by businesses about employees, job applicants, contractors, business owners, officers/directors and medical staff in their work-related roles. In other words, an employee or job applicant cannot demand, under the CCPA, that the business provide them with the categories or specific pieces of data collected, or demand deletion of all personal information collected in connection with their employment or prospective employment . The exemption also covers emergency contact information collected by businesses, as well as information provided to the business to administer benefits. However, this particular exemption sunsets one year after the CCPA goes into effect, with the Legislature aiming to draft a more robust bill related to privacy and employees on or before January 1, 2021.
Even with most information pertaining to employees, job applicants, contractors, etc. exempted from the law – at least for now – there are some important limitations to this exemption that businesses should be mindful of:
• Second, where the covered individuals are not acting as employees, contractors, owners, etc. of the business, businesses should assume that information collected from those individuals is outside the scope of their employment and used for non-employment-related purposes, and therefore is covered by the full scope of the CCPA. For example, where an employee is also a customer of the business/a user of its services, information collected from that person would not be covered by this exemption.
• Third, this exception does not exclude employees and others covered by this provision from the data breach protections provided in the CCPA at Civil Code § 1798.150, so employees can still bring suit in the event of a breach.
A bill that would have clarified the CCPA as it applies to customer loyalty programs was shelved just before the Legislature adjourned. The amendment would have prohibited businesses from selling the personal information of consumers collected as part of a loyalty or rewards program, except to third parties in order to provide the consumer with a financial incentive, sale or other discount, and only for purposes of identifying the consumer as a member of the loyalty program. The amendment further provided that consumers would have had to expressly consent to such sales, could withdraw their consent at any time, and could not be prohibited from participating in the loyalty program on equal terms as other consumers if such consent was withdrawn. The amendment was supported by numerous retail, travel, restaurant and hotel trade associations and companies, as well as consumer watch-dog groups.
Where does this leave businesses that operate loyalty and rewards programs? Unfortunately, they are left with the Act’s existing non-discrimination provisions. These provisions prohibit discrimination against a consumer who exercises his or her CCPA rights, including by charging or suggesting that the consumer will be charged a different price for goods/services or providing disparate levels of service. However, this section also states that a business may “offer a different price, rate, level, or quality of goods or service to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data” (emphasis added).
While this section was amended to clarify that such differential treatment is permitted where there’s value in sharing the data to the business, as opposed to the consumer as in the original version, there’s still much to be divined as to when a business can offer different prices to those who’ve exercised their CCPA rights (e.g., the do-not-sell right) and when they cannot. With the failure of the loyalty program amendment, this remains a particularly vexing question for the operators of loyalty programs in which members receiving preferential pricing or treatment compared to non-members and where the operator is unable to effectively operate the program where a member invokes his or her CCPA-mandated right to prohibit the “sale” of his or her personal information to a third-party partner involved in the loyalty program.
Methods for Receiving and Verifying Requests For Information (AB 1564)
As originally drafted, the Act required two or more methods of contact, including a toll-free telephone number and, if the business maintains a website, a web address by which consumers exercising their rights under the Act’s disclosure provisions (Civil Code §§ 1798.115 and 1798.120) could make such requests to businesses. The amendment provides that businesses that operate exclusively online and that have a direct relationship with consumers from whom the information is collected may provide an email address only for submitting such requests. Another provision provides that businesses that maintain a website are required to make the website available to consumers to submit these access requests.
However, as with other amendments to the CCPA, this particular provision adds more confusion than it clears up. First, there may be some clarification required for what it means to “operate exclusively online.” And while the first provision states that businesses operating exclusively online must only provide one mode of contact, i.e., an email, the second provision states that businesses that maintain a website must provide a web page through which a consumer may make such a request. A conservative reading of these provisions would counsel in favor of still having a minimum of two methods of contact for businesses: either a toll-free number (for off-line businesses) or an email address (for those businesses that operate exclusively online), and a web page for any business, online or not, that maintains a website.
One welcome amendment in connection with consumer requests is a provision added to Civil Code § 1798.130(a)(2) that provides that businesses may require “authentication of the consumer that is reasonable in light of the nature of the personal information requested.” The amendment goes on to provide that consumers are not to be required to create an account in order to make such a request, but that if “the consumer maintains an account with the business, the business may require the consumer to submit the request through that account.” Assuming the bill is signed, businesses now have at least a starting point for determining what standards they will use to verify that the information requested is actually that of the consumer making the request. And, hopefully, the California Attorney General’s forthcoming regulations on the CCPA will further guide businesses in what standards they may use to verify a requester’s identity.
Effect on Data Retention Practices (AB 1355)
A technical—but very important—amendment to the Act clarifies that businesses are not required to collect personal information that they would not ordinarily collect, or retain personal information for longer than they would ordinarily retain such information, nor are they required to re-identify or link information that is not maintained as personal information.
This is great news: it means businesses will not have to retain personal information outside of ordinary business needs and rewrite their data retention policies merely in an effort to comply with the Act’s twelve-month look-back period.
Business-to-Business Sharing (AB 1355)
The Legislature added a narrow exemption for business-to-business sharing of information, specifically exempting from the CCPA’s many requirements any personal information collected via communication or transaction with an individual where that individual is acting on behalf of a business. The exemption only reaches communications and transactions that “occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from” the business represented by the individual. As such, while this provision exempts a business from many of the obligations imposed by the CCPA’s disclosure and deletion requirements for information received from a business partner for purposes of due diligence, it does not extend to the Act’s do-not-sell, non-discrimination and data breach provisions. And, this particular provision sunsets on January 1, 2021.
Publicly Available Government Records Not “Personal Information” (AB 874)
One of the more interesting amendments passed by the Legislature provides that “personal information” does not include “publicly available information,” which means information that is lawfully made available from local, state and federal public records. Given the amount of information that may be gleaned from government records about individuals, it is interesting that the Legislature determined that such information is, by virtue of being included in a public record, not personal information. While this may be a welcome development for those businesses whose models depend on being able to scrape and use information gathered from public records, other businesses should be cautious and not assume that just because a piece of personal information maintained about an individual may also be found in a public record, that it no longer “personal information” under the statute, thereby triggering the statute’s various disclosure and deletion requirements. In other words, if a business has collected certain information directly from a consumer, it likely cannot rely on the “publicly available information” carve-out as it may be difficult to distinguish between information collected directly versus scraped from government records.
Harmonizing the FCRA and CCPA (AB 1355)
This amendment clarifies that the Act does not apply to information processing activities that are already regulated by the federal Fair Credit Reporting Act. Specifically, the amendment states that the Act does not apply to “an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency … by a furnisher of information … who provides information for use in a consumer report.” However, consumers will still be able to bring a private right of action under the CCPA for a data breach involving such information.
Vehicle Information (AB 1146)
This industry-specific amendment provides a couple of important exceptions to the CCPA for vehicle dealers and manufacturers. The amendment provides an exception to the opt-out rights found at Civil Code § 1798.120 (giving consumers the right to direct businesses to not sell the consumer’s personal information) for vehicle information or ownership information shared between a new motor vehicle dealer and the car manufacturer, if shared for warranty or recall purposes. It also creates an exception to the deletion requirement for personal information that is required to “fulfill the terms of a written warranty or product recall conducted in accordance with federal law.”
Data Broker Registration (AB 1202)
This amendment requires data brokers, which are defined as businesses that “knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship,” to register with the Attorney General on an annual basis.
While these amendments offered a glimmer of clarity on certain aspects of the CCPA, there’s still much to be desired in terms of guidance on how a business can comply with the Act. As we wait for regulations interpreting the Act from the Attorney General’s office (hopefully in the early fall), companies should continue to be both diligent and flexible in developing their CCPA compliance programs.