Friday, Sept. 13 was the last day for bills amending the California Consumer Privacy Act (CCPA) and other pending consumer privacy laws to pass in this year’s legislative session. Assuming that Gov. Gavin Newsom signs the amendments that have been sent to him into law, we now know what the CCPA will look like on its January 1, 2020 effective date. While his signature is not guaranteed, there have not been any public signs that Gov. Newsom will veto any of these amendments. He has until October 13 to sign or veto the amendments.
The latest batch of amendments correct some of the drafting errors that made it into the CCPA as a result of its rapid enactment—the original act was resurrected from the inactive file and signed within a week during July 2018. In addition, many of the amendments contain substantive revisions that, if signed into law, will change how the CCPA works in practice.
CCPA as Amended
There were many proposed amendments throughout the past year and, as of last Friday, five amendments had survived the legislative process:
- B. 25 has significant implications for employers. Among other things, A.B. 25 temporarily excludes businesses from nearly all CCPA requirements related to personal information that a business collects from its job applicants, employees, contractors and certain other individuals. This temporary exclusion is effective until January 1, 2021; only the private right of action and the obligation to provide notice as to the categories of personal information collected will apply during the CCPA’s first year.
- B. 874 clarifies that “deidentified” and “aggregated consumer” information is not “personal information” under the CCPA. As originally enacted, these two terms were erroneously excluded only from the definition of “publicly available” personal information. The bill was also amended to change the definition of personal information to add the word “reasonably” to the phrase “capable of being associated with,” thereby narrowing the definition. The amendment makes it more likely that there will be future litigation over whether or not information qualifies as “personal information,” especially in cases where multiple steps would need to be taken to link the information to an individual.
- B. 1146 provides an exemption for certain vehicle information (such as VIN numbers) from the opt-out and deletion rights provisions of the CCPA for the purpose of facilitating vehicle recalls and warranty work.
- B. 1355 originally only contained fixes to non-substantive drafting errors. However, late in the legislative session, several last-minute substantive edits were made to the bill, making it one of the key amendments. Most significant, the bill exempts most personal information collected in business-to-business transactions from the majority of the CCPA’s requirements for one year. Because this exclusion is set to sunset on January 1, 2021, it will likely be revisited in the next legislative session. In addition, the bill modified the private right of action for a data breach to require the breached data to be both unencrypted and unredacted before a consumer could recover for that breach. Before this amendment, an individual could bring a private right of action when the breached data was either unencrypted or unredacted, which was likely a drafting error. Finally, A.B. 1355 modifies the Fair Credit Reporting Act (FCRA) exception to make clear that to qualify for the FCRA exception from the CCPA’s scope, an organization must be both subject to FCRA and be using the information in compliance with FCRA’s requirements. The CCPA’s private right of action still applies to data that is excluded from the other provisions of the CCPA because of the FCRA exception.
- B. 1564 allows certain online-only businesses to meet their data access request requirements by providing only an e-mail address, removing the requirement that a telephone number and mailing address also be provided. In addition, any business that maintains an internet website is required to accept consumer access requests through that website. In cases where a consumer maintains an account with a business, the business may now require that a consumer submit a request through his or her account.
Other Non-CCPA Consumer Privacy Bills
Of the non-CCPA consumer privacy bills that the legislature was considering, only one made it through the legislative process.
- B. 1202 regulates data brokers and requires them to register with, and provide certain information to, the California Attorney General while also paying an annual fee. The California Attorney General’s Office will post the information provided by data brokers on its website. Data brokers who fail to comply will be subject to a civil penalty of $100 for each day of non-compliance.
While not part of the bill, the legislative findings that accompanied the bill were modified late in the legislatve process to provide illustrative examples about who is and is not a data broker (and thus who is and is not subject to this bill’s requirements). These legislative findings state that businesses with “direct consumer relationships” are not data brokers. Establishing direct consumer relationships can be done very simply in this context, only requiring that a consumer to “visits a business’ premises or internet website,” or “affirmatively and intentionally interacts with a business’ online advertisements.”
If courts deem these legislative findings persuasive, social media companies and certain ad-tech players that directly interact with consumers could be excluded from the definition of data broker and thus not required to comply with the requirements of this bill, should it become law.
Bills That Failed to Pass
A few California privacy bills (CCPA and non-CCPA) that looked like they were on the verge of passing, stumbled at the finish line. The following bills, while dead for now, are likely to be resurrected in some form in the future:
- B. 846 attempted to carve out customer loyalty programs from the CCPA’s non-discrimination provisions. This bill, popular with retail businesses, had been expected to pass but was ordered to the inactive file on September 12. It is likely to be resurrected in the future.
- B. 1281 required businesses that use facial recognition technology to post a sign disclosing that fact.
- B. 1665 required parental consent before a website or application could sell a minor’s personal information.
- B. 1138 prohibited social media companies from allowing persons under 13 years of age to create an account without a parent’s consent and prohibited the use of that data for any purposes outside of parental consent.
For more information please contact Michael Nitardy or any attorney in Frost Brown Todd’s Privacy and Data Security practice group.