California CCPA: Golden State Variations
Business Impact of the CCPA Amendments
Since the California Consumer Privacy Act (“CCPA”) passed in June 2018, legislators have proposed and stakeholders have lobbied on more than a dozen amendments addressing various components of the CCPA. September 13 was the close of this legislative term and thus the deadline to pass any amendments prior to the law’s January 1, 2020 effective date. Now California Gov. Gavin Newsom has until Oct. 13 to sign (or not sign) the legislature’s changes.
These anticipated modifications to the CCPA temporarily resolve some questions, such as whether employees and business representatives receive all the legal rights as traditional consumers. However, many ambiguities remain unaddressed, even as the California legislature added a companion law with regulatory provision aimed at data brokers. The fundamentals of the CCPA remain and as such organizations will continue to struggle with just how to apply ambiguous provisions and definitions by January 1. (For a thorough overview of each amendment, read WBD’s Client Alert.)
The CCPA as currently enacted defines “personal information” so broadly as to include anything that “identifies, relates to, describes, is capable of being associated with” a particular consumer or household. AB 1355 narrows this definition to information that is “reasonably” capable of being associated with a consumer, a device, or a household. This gives covered entities more agency in discerning whether the particular data is subject to the law’s provisions, although what might be reasonably identifiable to one entity might not be so for another. We anticipate guidance from the California AG on this and other issues.
The law excludes “publicly available information” from the definition of “personal information.” As it is currently constituted, “publicly available information” must be both information that is lawfully made available from federal, state, or local government records, and be used by the entity for a purpose that is compatible with the purpose for which the information was maintained. For example, this means that a public list of healthcare providers would not fit within the exclusion if the entity used the names for marketing purposes. AB 1355 removes that second requirement of compatibility with purpose, which is a marked improvement. The broadening of the “publicly available information” exemption gives covered entities more latitude to maintain data that was made readily available to them from public sources. However, it is important to keep in mind that the universe of data is still limited to what was made available by governmental sources and not, for example, a public social network profile or even a company’s website.
AB 1355 also provides that that ”deidentified” and “aggregate consumer information,” which are currently only excluded from the definition of “publicly available” are also not considered “personal information.” The threshold for deidentification remains the same, and can only be classified as “deidentified” if the information “cannot reasonably…be capable of being associated with, or be linked, directly or indirectly” to a particular consumer. Therefore, while this change brings some clarity to the statutory language, it means little for covered entities.
Each of us maintains different roles in our life: spouse, parent, employee, sibling, consumer, and so on. The original CCPA defines “consumer” as a “natural person who is a California resident.” This broad definition for “consumer” meant that the law would apply to information collected by covered entities for their employees and contractors. AB 25 provides some relief to covered entities in this context by exempting for one year from most CCPA provisions personal information collected about job applicants, employees, owners, directors, officers and contractors, as long as it is collected and used solely within the context of that employment or contractor relationship. Personal information used for emergency contact purposes and the administration of employment benefits are also exempt. But because there is a sunset on this exemption and it is uncertain whether it will be renewed or permanently applied, covered entities should continue to be mindful about how they are collecting employee and vendor information.
Covered entities, even within this one year span, still have obligations to their employees and contractors. For instance, they must provide employees with information on the categories of personal information the business collects about them. Employees still have the ability to sue their employers in the event of a data breach.
Covered entities would also receive another significant reprieve for a period of one year from providing certain consumer rights when the personal information collected is in the context of a business-to-business relationship. This exemption requires (1) the individual acts as an employee, owner, director, officer, or contractor of a business, and (2) the personal information collected arises from the business relationship. The “B2B exemption,” as it is colloquially referred, gives covered entities more breathing room during transactions, particularly in conducting due diligence such as whether to do business with an organization. Notable, however, is that covered entities are still required to honor opt-out requests from these business persons, much like one would under the federal CAN-SPAM law.
AB 1355 also modifies the CCPA’s treatment of personal information used by credit-reporting agencies under the Fair Credit Reporting Act. Information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency would be exempt from the CCPA.
Data Broker Registry
AB 1202, a standalone bill, requires “data brokers” to register with the California Attorney General’s office annually. A “data broker” is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Data brokers will be required to provide their name and primary physical, email, and internet website addresses. They can also provide “any additional information or explanation the data broker chooses to provide concerning its data collection practices.” Data brokers as defined in the amendment are unlikely to be thrown off by this measure since a Vermont law already mandates registry.
In closing, organizations subject to the CCPA — and there are a great many of them — have a significant amount of work to do to prepare by the deadline. While those that must comply with the EU’s General Data Protection Regulation will benefit from some CCPA similarities, the broader concern remains that any number of states are expected to renew CCPA-like efforts in the next legislative terms.