CCPA Amendments: Howling at the Moon
Updated: Oct 24, 2019
Last Friday was the end of the California legislative session for 2019. It was also a full moon and Friday the 13th. Meaning that while we’re on somewhat more solid ground in terms of the California Consumer Privacy Act, many of us are a little shocked and bewildered at what went down, and there’s still the possibility Jason will come limping out of the woods with a machete.
At the end of the session, six bills are on Gov. Newsom’s desk for signature amending the law in a number of ways. Here are some of the highlights.
Employees are not consumers (until 2021). AB 25 would exempt personal information from employees, job applicants, contractors, etc. from CCPA. Only for one year, however, at which time the legislature will presumably have come up with another way of protecting this type of information.
De-identified information is not Personal Information. Two bills make sure this will be the case. One changes the definition of Personal Information to begin by excluding de-identified or aggregate information. Another bill removes the strange exclusion of de-identified and aggregate information from “publicly available” information, which was causing a fair bit of confusion.
No brick and mortar = no toll-free number. Another welcome change for online businesses. While the law still requires two methods for submitting rights requests, including a toll-free number for many businesses, those that operate exclusively online are now only required to provide an email address.
If you have an account, use it for rights requests. AB 25 also authorizes a business to require customers that have accounts with them to use that account to submit a verifiable consumer request. Note, the law still prohibits businesses from requiring consumers to create an account in order to submit a request.
Verification is now “reasonable” verification. Businesses have an obligation to verify individuals that submit a rights request; however, that obligation is now qualified with the language “reasonable in light of the nature of the personal information requested.”
Publicly available (still) = public records. AB 874 cleans up the language around public information but doesn’t really change it much, operationally speaking. It, gratefully, removed that weirdness about publicly available information not being de-identified information or aggregate information that was causing much consternation.
Registration required for data sellers. A dark horse in the running, AB 1202 passed 63-14 and requires “data brokers” to register with the attorney general or risk paying civil penalties, fees and costs associated with any action brought by the AG. Data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” How businesses will register and what information they will need to provide is not defined and will need clarification prior to 2020.
B2B communications are exempt (until 2021). Information supplied in the context of business to business communications is no longer subject to CCPA. This exemption is only through the end of 2020, however, so it’s likely whatever employee privacy bill comes to pass will involve B2B communications as well.
There are also a few other changes — exemptions related to vehicle warranties and FCRA clarifications — that are awaiting signatures.
So, hopefully we get a bit much-needed clarity, provided Newsom signs these. But plenty of questions remain. And who saw that data broker registration thing coming? A plot twist for sure. So, now we move forward with operationalizing what we know, and doing our best to manage those things we don’t. And all the while, lurking in the bushes is CCPA the Sequel: Employee Rights and B2B Communications.