The California legislature recently passed five bills – AB 25, AB 874, AB 1146, AB 1355, and AB 1564 – that, if signed by the Governor, will make several notable changes to the California Consumer Privacy Act (CCPA), including the addition of new temporary exemptions for employee information and certain information collected in business-to-business transactions.
Below we provide highlights of the changes proposed by each bill.
- Until January 1, 2021, adds an exemption from certain CCPA provisions for personal information that is collected from a natural person acting as an employee, job applicant, owner, director, medical staff member, officer, or contractor of the business, as well as any emergency contact information such individuals provide to the business. For these individuals, businesses need not provide opt-out, access, or deletion rights, but are still required to provide notices about what categories of information a business collects about them and the purpose for doing so. Businesses are also still subject to potential liability under the CCPA for data breaches involving this information.
- Clarifies that when responding to a verifiable consumer request, a business may: (i) require authentication of the consumer that is reasonable in light of the nature of the personal information requested; and (ii) if the consumer maintains an account with the business, require the consumer to submit the request through that account. A business still may not require a consumer to create an account to make the request.
- Amends the definition of “personal information” under the CCPA by: (i) clarifying that such information must be “reasonably” capable of being associated with a particular consumer or household; (ii) expressly excluding deidentified or aggregate consumer information; and (iii) removing certain language regarding what constitutes “publicly available” information, including a previous carve-out that spoke in terms of whether a business used such information for a purpose that was “not compatible” with the purpose for which the information was maintained and made available in government records.
- Clarifies that the CCPA’s deletion rights do not apply if it is necessary for the business to maintain the consumer’s personal information in order to “fulfill the terms of a written warranty or product recall conducted in accordance with federal law.”
- Provides an exemption from a consumer’s right to opt out of the sale of personal information with respect to vehicle ownership information shared between a new car dealer and the vehicle manufacturer for repairs covered under warranty or recall, provided that the dealer or manufacturer with which the information is shared does not sell, share or use the information for any other purpose.
- Until January 1, 2021, adds an exemption for certain information that a business collects during communications or transactions with another business or government agency. Specifically, AB 1355 would exempt from most of the CCPA’s provisions personal information about an employee, owner, director, officer, or contractor of a company or government agency collected by a business in the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from the company or agency. The exemption does not apply to the CCPA’s non-discrimination rights or the right to opt out of the sale of a consumer’s data. Businesses are also still subject to potential liability under the CCPA for data breaches involving this information.
- Clarifies that the CCPA does not require a business to: (i) collect personal information that it would not otherwise collect in the ordinary course of its business, or (ii) retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.
- Amends the CCPA’s private right of action for data breaches to clarify that the breach must involve personal information that is both nonencrypted and nonredacted.
- Clarifies that the FCRA exemption generally applies to activities involving the collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that is subject to regulation under FCRA, provided that the information is not used, communicated, disclosed, or sold except as authorized by FCRA.
- Amends the exception to the CCPA’s anti-discrimination provisions that permits a business to charge a different price or offer a different level of quality or goods and services to certain consumers that exercise their rights under CCPA by clarifying that the exception considers the value provided by the consumer’s data to the business (rather than to the consumer).
- Amends the CCPA’s existing requirement that businesses provide two or more designated methods for consumers to submit requests for information (including a toll-free telephone number) by allowing a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information to simply provide an email address for consumers to submit such requests.