UPDATE: California Governor Signs CCPA, Data Breach Amendments

On October 11, 2019, Governor Newsom signed six important amendments to the California Consumer Privacy Act (CCPA), including the critical AB 25 (creating a partial exemption for employee data) as well as an update to California’s data breach notification law, a separate statute. These amendments, including ones discussed in our previous alert, are now final and will take effect in January 2020.

Assembly Bill 25: The Employee Exemption

Under the original text of CCPA, personal information that businesses collect about their California resident employees is treated the same as any other personal information.

Assembly Bill 25 (AB 25) creates a partial exemption for personal information that businesses collect about job applicants, employees, owners, directors, officers, medical staff, and contractors. Specifically, AB 25 exempts from CCPA “[p]ersonal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.” This partial exemption provision will expire on January 1, 2021, a year after it goes into effect.

AB 25 also exempts emergency contact information collected in the same context to the extent a contact is on file, and personal information necessary to administer employee benefits.

Finally, AB 25 alters several other provisions of CCPA. For example, AB 25 allows businesses to require that consumers submit their verifiable requests via a consumer account, in cases where the consumer already maintains an account with the business, easing the administrative burden on businesses that already make large-scale use of user accounts. This is consistent with the proposed regulations issued by the Attorney General on October 10, which we analyzed separately here.

Under the exemption created by AB 25, businesses are still required to disclose to employees the categories and uses of personal information collected about them under Section 1798.100(b). In addition, AB 25 does not alter the private right of action available to consumers under CCPA in the event of a data breach and failure to implement reasonable security practices and procedures.

Other CCPA Amendments

Assembly Bill 874: Updating “Personal Information”

Under the original CCPA text, any information that “is capable of being associated” with a consumer or household qualified as “personal information.” AB 874 has redefined personal information to mean that which is “reasonably capable of being associated with” a particular consumer or household. This change has substantially narrowed the scope of CCPA in practice by creating an objective reasonableness requirement when analyzing whether certain personal information is associated with a particular consumer or household.

AB 874 made other small but important changes to the definition of “personal information,” including:

• Clarifying that neither “publicly available” nor “deidentified” or “aggregate” consumer information is included as “personal information”;
• Excluding from the definition all information “lawfully made available from federal, state, or local government records”; however, “publicly available information” is limited to information made available and maintained by government records; and
• Clarifying that “personal information does not include consumer information that is deidentified or aggregate consumer information.”
  • CCPA defines “aggregate” and “deidentified” information to mean not reasonably linkable to an individual consumer or household.
    • “Aggregate” records may only relate to a group or category of consumers
    • “De-identified” records also require internal processes to prevent reidentification of consumers

Assembly Bill 1146: Warranty and Automobile Exemptions

AB 1146 added another specific basis to the CCPA’s list of reasons a business may refuse a request to delete personal information: fulfilling the terms of a written warranty or complying with a product recall. See Cal. Civ. Code § 1798.105(d).

AB 1146 exempts “vehicle information or ownership information retained or shared between a new motor vehicle dealer…and the vehicle’s manufacturer…if the vehicle or ownership information is shared for the purpose of effectuating or in anticipation of effectuating, a vehicle repair under warranty or a recall…provided that the new motor vehicle dealer or vehicle manufacturer … does not sell, share, or use that information for any other purpose” from consumers’ right to “opt-out” of the sale of their personal information. AB 1146 includes definitions of both “vehicle information” and “ownership information.”

This exemption ensures that transfers of information between vehicle dealers and manufacturers that might otherwise qualify as sales (and thus be subject to consumers’ opt-out rights) do not necessarily require permission of the automobile owners involved in order to proceed.

Assembly Bill 1202: Data Broker Registration Requirement

AB 1202 creates a requirement that data brokers register with the California Attorney General. Data broker means a business that “knowingly collects and sells to third parties the information of a consumer with whom the business does not have a direct relationship.” Such businesses must now register with the California Attorney General and pay a fee by January 31 “following each year in which a business meets the definition of a data broker” and provide: (1) the name of the data broker and its primary physical, email, and internet website addresses; and (B) “[a]ny additional information or explanation the data broker chooses to provide concerning its data collection practices.” Failure to register is accompanied by a civil penalty of $100 for each day the data broker fails to register, as well as any expenses incurred by the Attorney General to investigate and prosecute the action as the court deems appropriate. The Attorney General will create a page on its internet website where the information provided by data brokers under this title will be publicly accessible.

Assembly Bill 1355: Business-to-business exemption and language clean-up

AB 1355 exempts from most CCPA obligations written or verbal communications between a California consumer and a business where the consumer is acting as an employee, owner, director, officer, or contractor of an organization “whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company[.]” The rights of access, deletion, opt-out, and the notice requirements imposed by the CCPA do not apply to personal information gathered under these circumstances, though the basic obligation to implement reasonable security practices and procedures remains.

AB 1355 also made a number of more minor changes to the CCPA’s text:

• Amending Section 1798.110(c) to clarify that businesses that collect personal information about consumers are obligated to disclose the categories of information collected about “consumers” and “that a consumer has the right to request the specific pieces of personal information the business has collected” in a reasonably accessible form.
  • This change clarified some confusion over whether businesses must disclose “specific pieces of personal information the business has collected” without a consumer request (an apparent unintentional repetition of Section 1798.110(a)), which details what information consumers have the right to receive on request.
• Adding requirements to the online privacy policies of covered businesses.
  • Businesses’ policies now need to include descriptions of the right to request access to information created by Section 1798.100 and the right to request deletion of information guaranteed by Section 1798.105, as well as the three sections originally included.
  • This obligation is alongside the privacy notice obligations that will ultimately arise from the Attorney General’s CCPA regulations, when implementing rules are finalized. Article 2 of the proposed regulations released on October 10 contains a number of requirements specific to privacy policies.

Assembly Bill 1564: Telephone Number or Web Address

AB 1564 requires most businesses to provide at least two or more means for a consumer to submit requests, including at least a toll-free telephone number, but allows businesses that operate exclusively online and directly with consumers to provide only an email address. As a result, AB 1564 has eased the burden on businesses that operate exclusively online by removing the requirement of a toll-free phone number or physical mailing address.

Data Breach Notification Rules Update

In addition to the CCPA amendments, Governor Newsom also signed AB 1130, which updated California’s data breach notification rules to add biometric information and various government-issued identifiers to the statute’s definition of personal information. New government identifiers include “tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.” Cal. Civ. Code. § 1798.29(g)(B).

California’s data breach law requires businesses to disclose breaches of security to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This obligation extends to encrypted information if the security or encryption key was also compromised. Businesses are also obligated to inform the California Attorney General of breaches in which more than 500 California residents must be notified, and to inform the owner of any compromised data that the business does not own.