After a busy year of legislative activity that brought forth many proposed amendments to the California Consumer Privacy Act (CCPA), Governor Gavin Newsom will be presented with six bills that will alter and/or clarify the scope of the CCPA. He is expected to sign all of them into law in October.
Employee Data: The original version of the CCPA did not contain an exemption for employees’ personal information. Assembly Bill 25 brings needed clarity to the question of whether employee data will fall under the CCPA. This is a critical issue, given that certain personal information is necessarily used on a daily basis for business. Under AB 25, employees and prospective employees are excluded from most of the CCPA’s protections, which include: the right to request deletion of personal information; the right to inquire about what personal information is collected; the right to inquire about the sources of personal information; the right to inquire about the purpose for collecting or selling personal information; and the right to inquire about the categories of third parties with whom the employer or prospective employer shares their personal information.
The changes in AB 25 do not mean that employers will not face potential liability under the CCPA. Notably, after the AB 25 amendment, employees and prospective employees: (1) are still entitled to receive a privacy notice at or before the time of collecting the employee’s personal information (identifying the categories of personal information the employer collects and the purposes for which such personal information shall be used); and (2) are permitted to maintain a private right of action in the event that their personal information is exposed as a result of the employer’s failure to implement and maintain reasonable security procedures.
The employee exemption in AB 25 sunsets on January 1, 2021—with the expectation that the legislature will more comprehensively address the question of employee data in separate legislation or by further amendments to the CCPA.
Publicly Available Information: A major criticism of the CCPA was that it failed to satisfactorily define “publicly available” information. Assembly Bill 874 broadens the definition of “publicly available” to include “information that is lawfully made available from federal, state, or local government records” regardless of whether the data is being used for a purpose that is compatible with the purpose for which the data is maintained and made available in the government records. The definition of “publicly available” also no longer excludes consumer information that is deidentified or aggregate consumer information.
Clarifying Amendments: Although many practical questions remain after the 2019 legislative session, several key clarifications did make it through the legislative process. Assembly Bill 1355 contains three key clarifications, namely that it:
- Specifically exempts deidentified or aggregate consumer information from the CCPA’s definition of “personal information.”
- Provides a one-year exemption for personal information transmitted in the course of business to business communications. Specifically, AB 1355 excludes from the CCPA’s definition of personal information, such information “reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.”
- Expands and clarifies the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA) by stating that the FCRA exception applies to activity authorized by FCRA and not just to the sale of personal information from a consumer credit report.
Consumer Requests for Disclosure Methods: Assembly Bill 1564 adds to the already sizeable CCPA-related burdens for businesses that operate in California. AB 1564 will require brick-and-mortar businesses to provide two contact points for consumers to submit requests for information, including a mandatory toll-free telephone number. By contrast, online-only businesses need only provide a dedicated email address.
Vehicle Warranties and Recalls: Motor vehicle manufacturers enjoy an exemption under Assembly Bill 1446 which exempts vehicle information that is retained or shared for purposes of a warranty or recall-related repair. AB 1446 eliminates a consumer’s right to opt out of providing vehicle or ownership information retained or shared between a motor vehicle dealer and the vehicle’s manufacturer, in connection with a vehicle repair covered by warranty or recall. It also eliminates a consumer’s right to request deletion of personal information necessary to complete the terms of a vehicle warranty or recall.
Data Broker Registration: Assembly Bill 1202 requires that data brokers, i.e. those businesses that “knowingly collect[s] and sell[s] to third parties the personal information of a consumer with whom the business does not have a direct relationship” to register with the California Attorney General. Importantly, two categories of businesses are exempted from the definition of data broker. They include consumer reporting agencies to the extent that they are covered by the Fair Credit Reporting Act (FRCA) and financial institutions covered by the Gramm-Leach-Bliley Act (GLBA).
Failure to comply with the registration requirement will subject those businesses to possible injunctions and liability for civil penalties, fees, and costs in any action brought by the California Attorney General’s office. But AB 1202 does not provide a private right of action for consumers.
These amendments mark the last adjustments to CCPA before the statute takes effect on January 1, 2020. In the meantime, we will be monitoring the issuance of a set of implementation regulations that will be published by the California attorney general’s office, likely in October.
For more information regarding this article, please contact Ashley Fickel.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2019 Dykema Gossett PLLC.