California’s legislative session ended Friday, Sept. 13, and with it ended any hope of significant changes to the California Consumer Privacy Act of 2018 (CCPA). However, just as we were settling in to the new reality created by the CCPA, the group behind the original CCPA ballot initiative announced that they are seeking signatures for a new initiative, The California Privacy Rights and Enforcement Act of 2020 (CCPA 2.0) that will be voted on in the 2020 election. This one will bypass the legislative process, and will go straight to the ballot to be voted on by the residents of California If passed, the initiative would significantly expand both the business obligations and consumer protections put in place by the current CCPA.
Below is a recap of where the current CCPA stands and what to expect next.
Progress on the Current CCPA
- As predicted, there were no radical changes to the CCPA’s requirements. While there were some helpful clarifications, including allowing internet-only companies to receive consumer requests online rather than having to provide a toll-free number, the bones of the law remain unchanged.
- The bills that passed included exemptions for employee and B2B data, but these exemptions will sunset after one year and in each case still allow for a private right of action for a security breach.
- A bill requiring “data brokers” to register with the state passed. While not part of the CCPA, the expanded definition of “sale” under the CCPA may mean that companies that do not consider themselves to be data brokers could be impacted by this requirement.
- This isn’t over. Additional amendments may be introduced next year, and we have yet to see the Attorney General’s proposed rules. Keep up to date with Loeb & Loeb’s CCPA Amendments Tracker and look for additional guidance on the rule-making process.
CCPA 2.0 Key Changes
- Introduces GDPR-like principles, including purpose limitation, storage limitation, data minimization and data integrity (or the right to accuracy).
- Introduces a new category of data — “Sensitive Personal Information,” which includes health and financial information, racial or ethnic origin and precise geolocation — and provides consumers with the right to opt‐in before the sale of this information and the right to opt‐out of its use for advertising.
- Introduces new requirements for “profiling” activities, requiring a business to disclose whether they are using a consumer’s personal information for profiling if that profiling had or could reasonably have had an “adverse” effect on the consumer. Companies are also required to provide meaningful information about the logic involved in using consumers’ personal information for this purpose.
- Establishes a California Privacy Protection Agency. This agency is tasked with enforcing the law (imposing administrative fees, but leaving civil penalties to AG enforcement) and providing guidance to industry and consumers.
The details of the amendments are outlined in our tracker, but below are some of the key bills we were tracking:
- A.B. 25 (Employee Exemption) — A.B. 25 exempts personal information pertaining to employees, owners, directors, officers, medical staff members, job applicants, contractors or agents of a business from the scope of the CCPA (provided that such information is collected and used “solely within the context of the person’s role” as an employee, etc.). As expected, based on the last round of amendments, this exemption will expire on Jan. 1, 2021, and businesses are still required to provide these individuals with privacy notices that comply with the CCPA’s disclosure requirements. These individuals retain their right to bring a private action for security incidents.
- A.B. 25 (Reasonable Authentication Allowed) — A business may require authentication of a consumer that is reasonable in light of the nature of the personal information requested, and if the consumer maintains an account with the business, the business may require the consumer to submit the request through that account.
- A.B. 874 (Expanded Publicly Available Information Exemption) — A.B. 874 removes the requirement that for data to qualify for the “publicly available” information exemption, it must be used for the purpose for which it was maintained. Such information can now be used for any purpose.
- A.B. 874 (Minor Clarification to the “Personal Information” Definition) — A.B. 874 clarifies that information must be “reasonably” capable of being associated with a particular consumer or household in order to qualify as personal information. The corresponding clarification to the definition of “de-identified information” did not pass.
- A.B. 1564 (Updating Disclosure Methods for Online Businesses) — A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests for information required to be disclosed (instead of a toll-free number).
- A.B. 1146 (Exemption for Vehicle Warranties and Recalls) — A.B. 1146 exempts, from the right to delete, personal information that is necessary for the business to fulfill the terms of a written warranty or product recall conducted in accordance with federal law. There is no exemption for the right to opt out.
- A.B. 1355 (Clean-Up Bill) — A.B. 1355 is a cleanup bill that addresses some drafting errors in the CCPA. A few highlights:
o De-identified or aggregate consumer information is clearly excluded from the definition of PI.
o The exemption from the prohibition on discrimination applies when the differential treatment is reasonably related to value provided to the business by the consumer’s data (rather than the value provided to the consumer, as currently drafted).
o Clarifies that the Attorney General may adopt additional regulations to address verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns.
o Provides a one-year exemption from certain portions of the CCPA (disclosure, deletion, access but NOT sale or private right of action for breach) for personal information communications/transactions between the business and a consumer acting in a B2B context. Note: It’s unclear whether an individual contractor falls under this exemption or the employee exemption (which entitles the contractor to a disclosure under 1798.110).
o Clarifies that personal information must be nonencrypted AND nonredacted to trigger private right of action if that information is subject to a breach.
- A.B. 1202 — Though not part of the CCPA, A.B. 1202 requires “data brokers” to register with, and provide certain information to, the Attorney General. Data brokers are defined as a business that knowingly collects and “sells” personal information to third parties when the business does not have a direct relationship with the consumer; CCPA exemptions apply (FCRA, GLBA, CMIA, etc.).
What didn’t pass?
- A.B. 846 (Loyalty Programs) — This bill would have “clarified” that the CCPA does not prohibit a business from offering a different price, rate, level, or quality of goods or services to a consumer if the offering is (1) in connection with the consumer’s voluntary participation in a loyalty or rewards program or (2) “for a specific good or service with a functionality that is directly related to the collection, use or sale of the consumer’s data.” This bill was subject to much debate and may have caused more confusion than clarification.
What Happens Next?
Gov. Gavin Newsom must sign or veto the bills by Oct. 13 in order for them to go into effect on Jan. 1. We expect that all of the bills will be signed into law (although some industry groups are encouraging Gov. Newsom not to sign A.B. 1202, the data broker registry, into law).
With this round of amendments finalized, the California AG’s office is expected to issue its notice of proposed rule-making in the upcoming week(s). As a reminder, the scope of the AG guidance includes:
- Establishing exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights.
- Establishing rules and procedures:
- To facilitate and govern the submission of a verified consumer request.
- To govern business compliance with a consumer’s opt-out request.
- Advising on the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt out of the sale of personal information.
- Guidance on the format of the notices and information that businesses are required to provide (to ensure they are easily understood by the average consumer, accessible to consumers with disabilities and available in the language primarily used to interact with the consumer).
- Establishing rules and guidelines regarding financial incentive offerings.
The final text of the CCPA 2.0 will reflect the changes made by the recent amendments. With respect to the new obligations, California Elections Code (ELECT CA ELEC § 9002), allows the California Attorney General to hold a 30-day review process and public comment period, after which the initiative may be amended before it appears on the ballot. We will be monitoring the progress of these legislative developments and plan to have a detailed analysis of the CCPA 2.0 out shortly.
How Can You Stay Up to Date?
If you or other members of your organization have questions about the CCPA (1.0 or 2.0), any of the proposed amendments or the legislative process, please contact our Privacy, Security and Data Innovations team. We will also be posting updates in our CCPA Amendments Tracker and will continue to provide you with updates throughout this process.