Governor Newsom Signs CCPA Amendments
On the heels of the California Attorney General’s release of the draft California Consumer Privacy Act (CCPA) Regulations, on Friday Gov. Newsom signed seven bills amending various provisions of the CCPA. The relevant amendments signed by the governor are described below. With less than three months before the CCPA becomes effective on January 1, 2020, businesses will now need to take into account these amendments as they continue their compliance efforts.
•Employee / Job Candidate One-Year Exemption. Assembly Bill 25 amends the CCPA until January 1, 2021, to add Cal. Civ. Code § 1798.145(g), which requires a business to comply with only the notice requirements under Cal. Civ. Code § 1798.100(b) and private cause of action for data breaches under Cal. Civ. Code § 1798.150 for the following types of consumers: employees, job candidates, business owners, directors, officers, contractors and medical staff. These types of consumers are not entitled to any other rights under the CCPA.
•Consumer Requests Disclosure Methods. Assembly Bill 1564 amends the CCPA to add a Cal. Civ. Code § 1798.130(a)(1)(B), which permits a business that operates exclusively online and has a direct relationship with the consumer to provide only an email address as the method for submitting consumer requests. All other businesses must have two designated methods (including at least a toll-free number).
•Business-to-Business (B2B) One-Year Exemption. Assembly Bill 1355 amends the CCPA until January 1, 2021, to add Cal. Civ. Code § 1798.145(l), which exempts written or verbal communication or a transaction between the business and the consumer, where the consumer is an employee or owner of another company, and whose communications with the business occur solely within the context of the business providing or receiving a product or service to such company. B2B consumers are still entitled to (a) bring a private right of action under the law (§ 1798.150), and (b) to the opt-out of sale right (§ 1798.120), but the opt-out of sale notice provisions in Cal. Civ. Code § 1798.135 would not apply to businesses.
•Personal Information Definition.
–Assembly Bill 1355 amends § 1798.140(o)(2) of the CCPA, to provide that “personal information,” as opposed to “publicly available,” “does not include consumer information that is deidentified or aggregate consumer information.”
•Amends the definition of “personal information,” Cal. Civ. Code § 1798.140(o)(1)), to include “reasonably” in two places to state: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
•Adds Cal Civ. Code § 1798.140(o)(3), which provides that “personal information” does not include “consumer information that is deidentified or aggregate consumer information.”
•Clarifies that “publicly available” in the definition of “personal information” means “information that is lawfully made available from federal, state, or local government records. ‘Publicly available’ does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.” (Cal Civ. Code § 1798.140(o)(2)).
•Private Right of Action. Assembly Bill 1355 amends Cal. Civ. Code § 1798.150(a)(1) to clarify that class-action lawsuits may be brought only for data breaches pursuant to California’s data breach notification law when the personal information is “nonencrypted and nonredacted.”
•Data Breach Notification. Assembly Bill 1130 amends Cal. Civ. Code § 1798.81.5 to require businesses to notify consumers when tax identification numbers, passport numbers, military identification numbers, or other unique identification numbers issued on a government document commonly used to verify the identity of a specific individual have been compromised in a data breach.
•Vehicle Information. Assembly Bill 1146 amends the CCPA to add Cal Civ. Code § 1798.145(g)(1), providing that a consumer’s opt-out of sale right “shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer . . . and the vehicle’s manufacturer . . . if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall.”
•Data Broker Registration. Assembly Bill 1202 requires data brokers to register with the attorney general, and requires the attorney general to create a publicly available registry of data brokers on its website, and grants the AG enforcement authority for violations of these requirements.