The California legislative session ended with a bang on 13 September, when legislators passed several noteworthy amendments to the California Consumer Privacy Act (CCPA). The California governor has until 13 October to act on these amendments. We have outlined below the amendments that materially alter the original scope or requirements of the CCPA and that will impact CCPA compliance activities for many organizations.
Limited Personnel Exemption
Assembly Bill 25, the amendment exempting personal information collected from employees and other personnel from the scope of the CCPA, was passed in a revised form. Under this final version of the amendment, the rights of access, correction and opt-out of sale do not apply to employees, job applicants, owners, directors, staff, officers, contractors and medical staff (collectively, "personnel"). However, businesses will still be required to meet the notice requirements laid out in Section 1798.100 for personnel and personnel still benefit from the private right of action in the event of a data breach as provided in Section 1798.150. The same provisions apply to personal information collected from personnel in the context of providing benefits, as well as information related to personnel's emergency contact information. Importantly, this limited exemption expires after one year. While California legislators have made an affirmative commitment that they will address employee data privacy during the course of the next year, if they fail to do so prior to 1 January 2021, personnel information obtained from personnel and/or in the context of benefits will then be subject to the full requirements of the CCPA.
Limited B2B Information Exemption
Assembly Bill 1355 provides business-to-business (B2B) companies a limited reprieve from complying with all the requirements of the CCPA in the context of communications and transactions with other companies, organizations, and government agencies. Personal information that is collected in the course of B2B communications or transactions from or about an employee, owner, director, officer or contractor of a business or government agency is exempt from most CCPA requirements. Notably, however, this exemption does not apply to the right to opt out of the sale of personal information, the obligation not to discriminate against a consumer for attempting to exercise other rights, or the private right of action in the event of a data breach. Like the limited personnel exemption, this exemption also expires after one year, at which point business contact information will be covered by the CCPA if the legislature does not take further action in the interim. This being said, B2B companies that do not sell (as this term is defined by the CCPA) business contact information will still have to closely re-examine their other California personal information collection, to determine if and to what extent they must comply with CCPA requirements for other types of personal information they collect, such as for marketing purposes with prospective customers.
Clarification to the Definition of "Personal Information"
The original text of the CCPA defined "personal information" as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household" — an extremely expansive definition. The amendments narrowed this definition by adding a reasonableness standard. That is, "personal information" must identify, relate to, describe, be reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household. This means that businesses will still have to evaluate whether a particular piece of personal information is capable of being associated with a consumer or household, but this association must be reasonable in light of the information and means reasonably available to the business. Further, the amendments clarify that "personal information" does not include de-identified or aggregate information, or "publicly available information" that is lawfully made available from federal, state, or local government records.
FCRA and Vehicle Industry Exemptions
The CCPA amendments also clarified two further exemptions, one related to the Fair Credit Reporting Act (FCRA) and one related to the vehicle industry. Specifically, activities related to consumer credit reports are exempt from the CCPA, to the extent that the information is subject to the FCRA and the activities are allowed by the FCRA. Previous versions of the CCPA limited this exemption to the "sale" of information from consumer reports, but the final version of the CCPA expands the scope of the exemption to all such activities.
Further, a consumer's right to opt-out of the "sale" of personal information does not apply to vehicle information or ownership information exchanged between a car manufacturer and new car dealer, so long as the information is used to carry out a vehicle repair covered by warranty or recall (so long as the recipient does not sell, share or use that information for any other purpose) and the information is not further shared or sold for any other purposes.
Other Notable Amendments . . . and Those that Failed
For businesses that operate exclusively online and have a direct relationship with a consumer from whom they collect personal information, only one method of access or deletion request will be required to be provided — an email address for submitting requests. This clarification has a significant impact on those businesses that operate exclusively online, since they will no longer be required to set-up a toll-free number in order to comply with CCPA requirements.
One important amendment, Assembly Bill 846, which would have protected certain loyalty programs, was removed from consideration and tabled until next year. This amendment addressed loyalty reward, discount and similar programs, and included a prohibition on the sale of personal information collected as part of those programs, as well as a limited exception to that prohibition.