October 23, 2019

October 23, 2019

Subscribe to Latest Legal News and Analysis

October 22, 2019

Subscribe to Latest Legal News and Analysis

October 21, 2019

Subscribe to Latest Legal News and Analysis

2019 CCPA Amendment Process Comes to a Close

Interested parties and privacy professionals have all been anxiously awaiting how legislative activity would shake out before the California Consumer Privacy Act (“CCPA”) is implemented January 1, 2020.  Now that the dust has settled inside the golden dome in Sacramento and the state legislature’s 2019 session has come to a close, we can see which bills passed and will be provided to Governor Gavin Newsom, who has until October 13th to either veto these bills or sign them into law. 

Overall, the CCPA remains relatively intact, despite intense industry interest.  It also seems that the amendments leave a number of unanswered questions about CCPA compliance.

Here is the full list of the amendments awaiting the governor’s signature:

Data Broker Registration:  AB-1202 requires data brokers to register with the State Attorney General (“AG”) and provide certain information to the AG. Data brokers are defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”  This definition is subject to provided exceptions. The AG will make the information provided by data brokers accessible via its website. The AG is granted certain enforcement powers. 

Employee and Business Exemption: AB-25 carves out employee from the definition of “consumer” and has been narrowed to include a notice requirement for employers. This amendment also provides a limited exemption for personal information collected in the context of a business-to-business relationship. To fall in this exemption, the individual must be acting as an employee, owner, director, officer, or contractor of a business, and the personal information exchanged must be in the context of a business relationship.  It also sunsets on January 1, 2020, thus committing the Legislature and interested parties to take up more comprehensive privacy legislation on these topics in 2020.  These individuals retain the CCPA rights to bring a private action for a data breach. Mintz will present a webinar on October 22nd discussing employer obligations under the CCPA – mark your calendar! 

Publicly Available Information: AB-874 excludes information obtained from government records from the definition of “personal information,” regardless of how that information is used. It also clarifies that de-identified or aggregate information is not “personal information.”  This amendment also adds the word “reasonably” in front of “capable of being associated with” in the definition of “personal information,” but did not delete or define “household,” as had been hoped.  

Vehicle Warranties and Recalls:  AB-1146 excludes the sharing of vehicle information or ownership information as between a new motor vehicle dealer and the OEM from the right to opt-out if that sharing is for warranty repair or recall purposes.

Clarifying Amendments & Exemptions: AB-1355 narrows the disclosure requirement to categories of third parties to which information is sold, rather than requiring such disclosure on a specific party-by-party basis and allows for differential treatment of a consumer reasonably related to the value of the consumer’s information to the business. Meanwhile AB 846, which would have excluded loyalty programs from non-discrimination if the loyalty program offer is for a specific good or service whose functionality is “directly related to the collection, use, or sale of the consumer’s data” did not pass. 

Consumer Request for Disclosure Methods: AB-1564 adds an exception to the method of contact that permits “a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information” to only provide an email address for submitting requests to exercise various CCPA rights.

The next shoe to drop with respect to the CCPA will be draft regulations or guidance from the California Attorney General’s office, expected later this fall.   However, given the scope and impact of the CCPA, businesses should not wait to implement CCPA compliance, as it could require changes to operations.  Remember, the CCPA can apply to businesses even they do not have offices or employees in California and can reach activities conducted outside of California.

Watch this space for more #CCPA news, as well as important analysis of how these amendments will affect certain business models and CCPA compliance efforts. 

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Brian H. Lam, Mintz Levin, software licensing lawyer, vendor agreements attorney
Associate

Brian has extensive experience in patent litigation and intellectual property matters, as well as privacy and data protection matters, particularly as to data aggregation, network security, and technology transactions. Beyond counseling on compliance, incident response, and data privacy and protection, Brian has advised on technology-centric agreements, licensing issues, open source software licensing, vendor agreements, and hosting agreements, and analyzed patent portfolios for potential assertion or freedom to operate. He is a Certified Information Privacy Professional (US Specialization), and Certified Information Systems Security Professional (CISSP), endorsement pending.

Prior to joining Mintz Levin, Brian held associate roles at several California law firms, and spent five months as a Judicial Extern for the Hon. Richard M. Neiter. He also spent time as a network security analyst prior to entering the legal field and is well-versed in computer science and telecommunications. While attending law school, Brian earned the USC Fulton Haight Memorial Scholarship, and American Jurisprudence Awards in Criminal Law, Antitrust, and Advanced Intellectual Property.

858.314.1583