The last day of California’s 2019 legislative session on Sept. 13, 2019 saw a flurry of legislative activity as numerous CCPA amendments passed in the Assembly, after being amended in the Senate, and were sent to the governor for his consideration. The more substantial amendments sought by industry groups—including those seeking relief for the adtech ecosystem – failed to pass. The amendments that did pass do not fundamentally decrease the CCPA compliance effort facing most businesses. And in some cases the amendments broaden the CCPA’s reach, most notably, by classifying businesses that knowingly “sell” certain personal information as data brokers who must register with the California Attorney General (“California AG” or “AG”), and by expanding the types of data breaches that can trigger the CCPA’s private right of action. However, new grace periods for certain personal information collected in the B2B and HR contexts will come as a welcome reprieve for many companies.
The bills, which the governor must sign or veto by Oct. 13, 2019, include (click the bill number for additional detail and analysis):
- AB 1130 expands the scope of “personal information” covered by California’s data security and breach notification statutes to include certain government-issued identification numbers and unique biometric identifiers, which in turn expands the types of data breaches that are actionable under the CCPA’s private right of action and qualify for statutory damages
- AB 25 temporarily exempts personal information of employees and other “HR data” from the obligation to honor some CCPA rights (access, opt-out of sales, and deletion), but not others (privacy notice, private right of action with statutory damages)
- AB 1202 classifies any business, that knowingly “sells” (as defined under the CCPA) personal information of consumers with whom the business does not have a direct relationship, as a “data broker” that must register with the California AG
- AB 1355 establishes a one-year grace period for some CCPA requirements with respect to certain personal information exchanged in the B2B context, and broadens the CCPA’s FCRA exemption
- AB 874 clarifies the scope of “personal information”, “deidentified” and “aggregated information” under the CCPA
- AB 1564 requires businesses that operate exclusively online to provide an email address that certain consumers can use to submit CCPA information requests, but provides that this email address – rather than a toll-free phone number or web page – can be the sole method for submitting such requests. The bill also allows businesses to take a risk-based approach to verifying the identities of consumers exercising their CCPA rights
- AB 1146 partially exempts personal information needed for vehicle warranties or recalls from the obligation to honor deletion requests, and partially exempts vehicle and ownership information kept by or exchanged between car dealers and manufacturers from the obligation to honor requests to opt-out of “sales”
- Tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
- Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
This change will increase the number of security incidents that must be reported under California’s breach notification law, and that will be actionable under the CCPA’s private right of action if the breach resulted from failure to protect this information with “reasonable” security procedures and practices required by California’s data security law.
Keeps employer-held personal information within the scope of the CCPA, but exempts for one year—until January 1, 2021—most CCPA requirements relating to personal information of:
- a business’s job applicants, employees, owners with a controlling interest, directors, officers, medical staff members (certain licensed doctors, dentists and podiatrists), and contractors who are California residents (“California Personnel”), when the personal information is used within the context of that person’s role;
- the emergency contacts of any California Personnel that a business collects and uses solely to keep emergency contacts on file; and
- beneficiaries and other individuals associated with California Personnel that a business collects and uses solely to administer benefits.
This grace period does not apply to:
- the requirement to give a privacy notice to California Personnel at or before the point of collection of their personal information (e.g., on web pages collecting job applications, during employee on-boarding) explaining the categories of personal information to be collected and the purposes for which they are used; or
- the private right of action for data breaches resulting from failure to protect this information with “reasonable” security procedures and practices required by California’s data security law.
Businesses should move forward with CCPA compliance by January 1, 2020 with respect to personal information of California Personnel by: (1) preparing and delivering privacy notices; and (2) confirming that they have applied reasonable security measures designed to protect personal information of California Personnel regulated by California’s data security law (the definition of which was amended by AB 1130).
After the grace period expires on January 1, 2021, unless the legislature takes steps to continue the exemption, businesses will be bound by all of the CCPA’s requirements in the HR context, such as honoring Californians’ access and deletion requests.
Classifies as a “data broker” any business that knowingly collects and sells to third parties personal information of a consumer with whom the business does not have a direct relationship. Such data brokers must register with the California AG and pay a registration fee. The data broker must provide its name and physical, email, and website addresses, and may optionally explain its data collection practices. The California AG must post the information submitted by data brokers to a public website.
While incorporating defined terms from the CCPA (e.g., “business”, “consumer”, “collect”, “sell”), AB 1202 creates a new statute that the California AG can enforce with injunctive relief and monetary penalties, including daily penalties of $100, the registration fee, and expenses incurred by the California AG to investigate and prosecute the case.
AB 1202’s use of the CCPA’s broad definition of “sale” to define a “data broker” will sweep in many businesses that do not engage in typical data broker activities. While the bill aims to increase transparency, requiring such a broad class of “data brokers” to register on the California AG’s site may make it more difficult for consumers to identify which businesses are actually “selling” their personal information in the common sense meaning of the word. In addition, the law will make it easier for consumers, plaintiff lawyers, and privacy advocacy groups acting on their behalf, to identify businesses that “sell” personal information under CCPA and target them with opt-out requests.
B2B Data exemption. This bill exempts, until January 1, 2021, the following personal information (“B2B Data”):
[P]ersonal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.
B2B Data is exempted from the requirements under CCPA to:
- give a privacy notice at or before the time of collection of personal information
- honor access and deletion requests
- post a Do Not Sell My Personal Information link on the business’s homepage
However, B2B Data is not exempted from the requirement under the CCPA to honor:
- the right to opt-out of sales
- the right to non-discrimination
FCRA exemption. The CCPA currently exempts “the sale of personal information to or from a consumer reporting agency” that is used to generate a consumer report under the Fair Credit Reporting Act (“FCRA”). This bill broadens the exemption to “an[y] activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency” so long as the activity is “authorized” by the FCRA. However, the FCRA exemption does not shield consumer reporting agencies or other businesses against the private right of action or statutory damages under the CCPA for data breaches.
B2B Data exemption. Businesses hoping that the legislature would correct the CCPA by acknowledging that it was not intended to cover business contact information got the opposite answer: explicit recognition that the CCPA does govern this information. AB 1355 also gave a consolation prize in the form of a limited, one-year grace period, but it is not straightforward and raises several interpretive questions:
- If a business gets a vendor representative’s contact information not from the vendor, but from a third party participating in the same transaction with the business and the vendor, does the grace period apply to that contact information?
- If the grace period does not apply to sales leads purchased from a data broker, would the grace period attach (a) if the business actually contacts those sales leads to offer a product or service or as part of “due diligence” into a potential business relationship, (b) once the lead is converted into a customer, or (c) not at all?
- Finally, if the grace period exempts a business from giving privacy notices to, or posting “Do Not Sell My Personal Information” links for, business contacts but does not exempt the business from honoring requests to opt out of sales, is the business required to offer any explanation of how exercise the opt out right?
The text of AB 1355 offers no clear answers to any of these questions.
Moreover, the exemption from the obligation to give privacy notices and post “Do Not Sell My Personal Information” links may be at best marginally helpful if businesses have to implement them anyway for prospective customers and other business contacts who do not fall within the scope of the exemption. However, the challenges posed by CCPA’s access and deletion requirements are considerable, and the one-year reprieve from having to deal with access and deletion requests from most end users of online B2B accounts and other business contacts will be welcome to many.
FCRA exemption. By enlarging the FCRA exemption beyond just “sales” of personal information to include other activities “authorized” by the FCRA, the bill now comes closer to harmonizing the FCRA exemption with the Gramm-Leach-Bliley Act (“GLBA”) exemption, removing some doubts about its application to FCRA-regulated data use. However, businesses must still maintain reasonable security measures under California’s data security law for personal information subject to FCRA, since the exemption does not extend to the CCPA’s private right of action or statutory damages for data breaches.
The bill clarifies the scope of “personal information” under the CCPA in three respects:
- “Publicly available” information. The bill fixes a drafting error to clarify that the “publicly available” information excluded from the definition of “personal information” refers to “information that is lawfully made available from federal, state, or local government records.“
- Deidentified or aggregated information. The bill clarifies that personal information “does not include consumer information that is deidentified or aggregate consumer information,” which was not previously explicit due to a different drafting error.
- Information “reasonably” capable of being associated. To address concerns that “personal information” could be read to include information that is only theoretically capable of being linked with a consumer or household, the bill revises the definition of “personal information” to refer to information “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (emphasis added).
The modifications to publicly available information and deidentifed/aggregated information are non-substantive drafting error corrections. However, the addition of the “reasonably” qualifier to the definition of “personal information” was viewed by the California Chamber of Commerce, who championed the amendment, as necessary to avoid extreme results. If personal information included any information theoretically capable of being associated with a consumer or household, the Chamber argued (see 09/11/19 Assembly Floor Analysis) that a brick and mortar store could, for example, be forced to search security camera footage to figure out where a customer appears in it and give the footage back to the customer in response to an access request—even if the business had never linked the footage to anyone.
In addition, the change harmonizes the CCPA’s definition of “personal information” with the FTC’s Privacy Framework (focusing on data “that can be reasonably linked to a specific consumer, computer, or device”) and the CCPA’s existing definition of “deidentified,” which already includes a similar “reasonably” qualifier (“information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer”) (emphasis added).
“Toll-free number” exemption. The CCPA requires businesses to provide two or more methods by which consumers can submit information requests under the CCPA, including a toll-free telephone number and a web page if the business operates a website. This bill changes that for businesses that operate “exclusively” online and have a “direct relationship” with a consumer from whom the business collects personal information. Such businesses are required only to designate an email address that may be the sole method by which that consumer can submit CCPA information requests.
Risk-based identity verification. The CCPA requires businesses to “reasonably verify” the identities of individuals making information, access and deletion requests under the CCPA. This bill clarifies that businesses can require a level of verification that is “reasonable” in light of the personal information requested (but they still cannot require consumers to create accounts with the business).
“Toll-free number” exemption. AB 1564 will spare many online businesses that do not have “brick and mortar” interactions with consumers from the burden of establishing new toll free phone numbers for use by consumers with whom they are already communicating online. However, if a business collects personal information about consumers with which it does not have a direct relationship, the business will still need to offer a toll free number that those consumers can use to make CCPA information requests. In addition, “operates exclusively online” is not defined and it is not clear whether an online business can qualify for this exemption with respect to individuals with whom it interacts in corporate offices or occasional offline events or promotions. As a result, many online businesses may find it most expedient to simply a establish a toll free number rather than parse their eligibility for the exemption.
Risk-based identity verification. The amendment acknowledges that identity verification should not be a one size fits all proposition, and that it may be necessary for businesses to require more stringent identity verification for access or deletion requests involving more sensitive personal information.
This bill creates two limited exemptions for car dealers and manufacturers for personal information and vehicle information related to recalls and warranty service.
First, the bill provides that personal information is exempt from the deletion requirement if it is needed to fulfill a warranty or recall in accordance with federal law.
Second, the bill provides that the right to opt-out of “sales” of personal information does not extend to “vehicle information” (number, make, model year, and odometer reading of a vehicle) and “ownership information” (the names and contact information for the vehicle owners) retained or shared between by dealers and manufacturers, if used for vehicle warranty or recall purposes of federal law. Notably, the vehicle and ownership information exemption does not apply to other CCPA rights, such as the right of access or deletion.
The CCPA contains a general exemption providing that it does not restrict a business’s ability to comply with federal, state, or local laws. However, AB 1146 shows that for at least one industry group – auto dealers and manufacturers – the general exemption was not-enough. Other industry groups may well follow suit and seek explicit industry-specific exemptions for legal compliance activities in the 2020 legislative session, which will undoubtedly see another wave of attempts to modify the CCPA.