January 21, 2020

January 20, 2020

Subscribe to Latest Legal News and Analysis

2019 CCPA Amendment Process Comes to a Close

Interested parties and privacy professionals have all been anxiously awaiting how legislative activity would shake out before the California Consumer Privacy Act (“CCPA”) is implemented January 1, 2020.  Now that the dust has settled inside the golden dome in Sacramento and the state legislature’s 2019 session has come to a close, we can see which bills passed and will be provided to Governor Gavin Newsom, who has until October 13th to either veto these bills or sign them into law. 

Overall, the CCPA remains relatively intact, despite intense industry interest.  It also seems that the amendments leave a number of unanswered questions about CCPA compliance.

Here is the full list of the amendments awaiting the governor’s signature:

Data Broker Registration:  AB-1202 requires data brokers to register with the State Attorney General (“AG”) and provide certain information to the AG. Data brokers are defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”  This definition is subject to provided exceptions. The AG will make the information provided by data brokers accessible via its website. The AG is granted certain enforcement powers. 

Employee and Business Exemption: AB-25 carves out employee from the definition of “consumer” and has been narrowed to include a notice requirement for employers. This amendment also provides a limited exemption for personal information collected in the context of a business-to-business relationship. To fall in this exemption, the individual must be acting as an employee, owner, director, officer, or contractor of a business, and the personal information exchanged must be in the context of a business relationship.  It also sunsets on January 1, 2020, thus committing the Legislature and interested parties to take up more comprehensive privacy legislation on these topics in 2020.  These individuals retain the CCPA rights to bring a private action for a data breach. Mintz will present a webinar on October 22nd discussing employer obligations under the CCPA – mark your calendar! 

Publicly Available Information: AB-874 excludes information obtained from government records from the definition of “personal information,” regardless of how that information is used. It also clarifies that de-identified or aggregate information is not “personal information.”  This amendment also adds the word “reasonably” in front of “capable of being associated with” in the definition of “personal information,” but did not delete or define “household,” as had been hoped.  

Vehicle Warranties and Recalls:  AB-1146 excludes the sharing of vehicle information or ownership information as between a new motor vehicle dealer and the OEM from the right to opt-out if that sharing is for warranty repair or recall purposes.

Clarifying Amendments & Exemptions: AB-1355 narrows the disclosure requirement to categories of third parties to which information is sold, rather than requiring such disclosure on a specific party-by-party basis and allows for differential treatment of a consumer reasonably related to the value of the consumer’s information to the business. Meanwhile AB 846, which would have excluded loyalty programs from non-discrimination if the loyalty program offer is for a specific good or service whose functionality is “directly related to the collection, use, or sale of the consumer’s data” did not pass. 

Consumer Request for Disclosure Methods: AB-1564 adds an exception to the method of contact that permits “a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information” to only provide an email address for submitting requests to exercise various CCPA rights.

The next shoe to drop with respect to the CCPA will be draft regulations or guidance from the California Attorney General’s office, expected later this fall.   However, given the scope and impact of the CCPA, businesses should not wait to implement CCPA compliance, as it could require changes to operations.  Remember, the CCPA can apply to businesses even they do not have offices or employees in California and can reach activities conducted outside of California.

Watch this space for more #CCPA news, as well as important analysis of how these amendments will affect certain business models and CCPA compliance efforts. 

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

Brian H. Lam, Mintz Levin, software licensing lawyer, vendor agreements attorney

Brian Lam is a member of Mintz’s Privacy & Security Practice and Technology Transactions Practice. Brian focuses his practice on providing practical advice that enables companies to pursue their business in a competitive environment while reducing risk associated with the collection, use, storage, transfer, and potential loss of data. He frequently negotiates complex data-centric information technology agreements, and designs policies and corresponding controls for the implementation of best practices, compliance with state and federal law, and international considerations. He often reviews the data flows within an organization from both a senior leadership perspective as well as at the implementation level, and provides actionable recommendations to engineer such data flows in order to reduce compliance risk and engender consumer trust.

Brian frequently provides advice to clients that wish to buy or sell corporate entities whose business models leverage data and information technology, including data aggregation, analytics, and open source software.

Brian has been designated a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals, and is also a Certified Information Privacy Professional (CIPP) (US Specialization), Certified Information Privacy Manager (CIPM), and a Certified Information Systems Security Professional (CISSP). He has a B.S. in Computer Science and an M.S. in Telecommunications from the University of Colorado at Boulder, College of Engineering and Applied Science.

He is also a member of Governor Brown’s California Cybersecurity Task Force, a statewide partnership comprised of key stakeholders, subject matter experts, and cybersecurity professionals from California's public and private sectors, academia, and law enforcement that serves as an advisory body to the State of California Senior Administration Officials in matters related to cybersecurity.

Before becoming an attorney, Brian worked at one of the country’s leading information security firms, where he focused on analyzing the existing network security controls of financial institutions, online merchants, and government organizations. He also conducted penetration tests, provided guidance on PCI-DSS compliance, and assisted federal law enforcement with digital forensics post security incident. Subsequently, he joined one of the world’s largest management consulting and information services firms, where he led efforts to design and implement large-scale information security initiatives for Fortune 500 companies, including one of the world’s largest banking and consumer credit companies.