October 23, 2019

October 23, 2019

Subscribe to Latest Legal News and Analysis

October 22, 2019

Subscribe to Latest Legal News and Analysis

October 21, 2019

Subscribe to Latest Legal News and Analysis

CCPA Amendments Update

Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. As a reminder, the CCPA takes effect January 1, 2020 and can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California. 

As of September 13, 2019, the California legislature advanced six CCPA amendments to Governor Newsom’s desk for signature. The Governor has until October 13, 2019, to act on any or all of these amendments. The amendments clarify some exemptions to the CCPA, create some new narrow exemptions, update some operational requirements, clarify some defined terms, and create a new data broker registry. Given the magnitude of the CCPA overall, and some of its provisions that lack clarity in interpretation, the amendments are relatively limited in nature and leave a number of questions about CCPA compliance unanswered. A brief overview of highlights from the amendments follows:

Limited Employee and Personnel Exemption

For a period of 1 year (January 1, 2020-December 31, 2020), the CCPA would not apply to personal information collected in connection with an individual’s role as a current or former job applicant to, employee of, owner of, medical staff member of, or contractor of a business—solely to the extent the individual’s personal information is used and collected in the context of that role. The limited exemption also covers emergency contact information of such persons and personal information necessary to administer benefits for any other person relating to such persons. These individuals nonetheless retain their CCPA rights to be informed of the categories of personal information collected and the purposes for which the personal information is used by the business along with their right to bring a private action for a data breach.

Changes to “Personal Information”

The word “reasonably” has been added in front of “capable of being associated with” a consumer or household in the definition of “personal information.”

Any “information that is lawfully made available from federal, state, or local government records” is “publicly available” and not “personal information,” regardless of how that information is used. Previously, businesses would have been required to use that information for a purpose compatible with the purpose for which the data is maintained in order to invoke the “public information” exemption.

As amended, “personal information” does not include consumers’ information that is deidentified or aggregate consumer information. The amendments do not address or further clarify the standards for de-identifying data.

Limited B2B Information Exchange Exemption

For a period of 1 year (January 1, 2020-December 31, 2020), a number of CCPA rights would not apply to personal information collected in the context of a business-to-business relationship. This exemption does not apply to the rights to opt in / opt out from sale of one’s personal information and be protected from certain discrimination if one exercises one’s CCPA rights. To fall in this exemption, the individual must be acting as an employee, owner, director, officer, or contractor of a business, and their personal information exchanged must be in the context of a business relationship (e.g., conducting due diligence, or providing or receiving a product or service from the business).

Clarifications Bearing on Implementing the CCPA

A business would be permitted to require reasonable authentication of the individual making a request to know what personal information the business maintains about them (or other CCPA request requiring verification) to help that business review and confirm if it is a verifiable consumer request. Reasonableness would be determined based on the circumstances, i.e., nature of information requested. If a consumer maintains an account with the business, then the business could require the consumer to submit requests via that account.

Businesses that operate exclusively online and have a direct relationship with the consumer would only have to provide an email address for consumers to submit disclosure requests to the business (and not also a toll-free number).

The amendments specifically permit the California Attorney General to adopt additional regulations on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to households (which are included in the definition of personal information). There have been security and privacy concerns that members of a household will be able to seek copies of information of other individuals in a household.

The amendments clarify that the CCPA does not require a business to collect personal information that it would not otherwise collect in the ordinary course of its business or retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.

FCRA Information Exemption

The CCPA does not apply to information processing for purposes of the Fair Credit Reporting Act (FRCA), namely collecting, maintaining, disclosing, selling, communicating, or using personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency. The exemption does not impact an individual’s ability to bring a private action against a business for a data breach involving such information.

Narrow Vehicle Industry Exemption

The amendments add a narrow vehicle industry exception for the CCPA’s “do not sell” requirements. The CCPA right to opt out or opt in from sale of one’s personal information would not apply to vehicle information (e.g., VIN, make, model, year, odometer reading) or ownership information (e.g., name of registered car owner and contact information) exchanged between a car manufacturer and new car dealer if used to carry out a vehicle repair covered by warranty or recall (so long as the recipient does not sell, share or use that information for any other purpose).

New Data Broker Registration

A separate law, not part of the CCPA, passed with the CCPA amendments given it “piggybacks” on the CCPA’s definitions
to set out its requirements. The law requires “data brokers” to register with the California Attorney General. A “data broker” is a CCPA-regulated business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business has no direct relationship.” It does not include entities already regulated by the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), or California’s Insurance Information and Privacy Protection Act. Each year on or before January 31, data brokers would be required to register with the California Attorney General, pay the applicable fee and provide certain information. The law directs the Attorney General to create a publicly available online registry of all data brokers.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.

...

704-331-4910
Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law
Associate

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients on digital media marketing to minimize the risks of advertising and marketing online.

She started at the firm as a corporate attorney with a focus on mergers and acquisitions and private securities offerings and investments, and brings her knowledge and experience of corporate matters to bear on her current practice and advice to clients on strategic transactions. Relevant industry experience includes: biotechnology, agrochemical, pharmaceutical, software, retail, manufacturing, financial and other services sectors.

919-755-2119
Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm
Associate

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.

Education

J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude

919-484-2306