The California legislature made substantial modifications to the California Consumer Privacy Act (CCPA) earlier this month ahead of its January 1, 2020 effective date. The amendments change certain company obligations and offer more particulars for businesses still scrambling to comply with one of the most sweeping acts of U.S. legislation aimed at bolstering consumer privacy.
Five amendments shape the CCPA’s future
The California legislature passed five amendments to the CCPA (AB-25, AB-874, AB-1146, AB-1355 and AB-1564) on September 13 before adjourning its legislative session for the year. After its hasty passage in June 2018, the CCPA faced backlash and a push for revisions. The five amendments attempt to clarify certain provisions and make the law easier to implement.
- Limit the definition of “personal information” to “information that identifies, relates to, describes, or is reasonably capable of being associated with a particular consumer or household.” The CCPA’s original definition did not have the limiting reasonability term.
- Clarify information that is not considered personal information: 1) consumer information that is de-identified or aggregated; and 2) personal information gathered in the context of a business-to-business transaction.
- Eliminate the consumer’s “opt-out” right as it applies to vehicle information or ownership information shared between a new motor vehicle dealer and the manufacturer, so long as the information is shared for the purpose of vehicle repairs covered by a warranty or recall and is not further shared or sold for other purposes.
- Exempt the CCPA from applying to most employment information, at least initially. Personal information collected relating to a job application, employment, ownership, or role as a director, officer, medical staff member, or contractor of a business is exempt from the CCPA requirements so long as the data is collected and used solely within the context of the person’s role or former role with the business. However, this exemption is set to expire on January 1, 2021.
- Exempt the CCPA from applying to activities relating to consumer credit reports from or to a consumer reporting agency to the extent that the information is subject to regulation under the Fair Credit Reporting Act and the use/disclosure is allowed under that act. This does not change the breach notification requirements in the event of a data breach.
- Change the required avenues some businesses must provide to consumers to request data use information. If a business operates exclusively online and has a direct relationship with the consumer whose personal data it collects, the business is not required to maintain a toll-free phone number for information requests. Exclusively online businesses only need to maintain an email address for such requests.
- Require businesses that maintain a website to allow consumers to submit requests for certain data use information via that website.
- Clarify that the CCPA does not require a business to collect personal information it would not otherwise collect, retain information longer than it would otherwise retain, or re-identify or link information not otherwise maintained.
Notably, the California legislature did not pass industry-backed amendments that would have allowed companies to collect personal information to offer loyalty programs without worrying that the practice was discriminatory under the law. It also did not increase exclusions relating to targeted advertising and fraud detection, or expand the definition of “de-identified,” like big players in the industry had hoped.
Things to watch prior to CCPA’s implementation date
While California’s legislative session is over, the Attorney General is expected to provide further clarification via regulations issued in October. A comment period will follow, prior to the regulations’ finalization.
Enforcement actions brought under the CCPA will not begin until the earlier of July 1, 2020, or six months after the California Attorney General publishes its final regulations governing the Act.
Guidance for companies required to comply with CCPA
As the 2020 implementation and enforcement deadlines draw closer, companies should continue to evaluate and make changes to their consumer data use policies and procedures. Potential action items include:
- Create a data map that traces what personal information is collected, used, processed, stored, or sold by the company, including employee information
- Document business compliance processes and procedures in case the business needs to defend against an enforcement action
- Develop and implement required training for individuals who will be responsible for handling consumer inquiries about the business’s privacy practices or CCPA compliance
- Confirm privacy policies include a method for submitting requests permitted under CCPA
- Revise privacy policies and California-specific descriptions of rights to include the consumer rights granted in the CCPA
- Update privacy policies to include both a list of categories of information the business has collected about consumers and categories of information the business has sold or disclosed for a business purpose within the last twelve months
- Ensure the business has written agreements with any third party receiving customer information that limit the use of such information to providing the specified services to the business
Adams and Reese’s previous alert on action items under the CCPA provides more detail on the data privacy rights established by the CCPA, as well as additional potential action items for covered entities.
Our Privacy, Cybersecurity and Data Management Team will continue to share the latest developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape.