FINAL TWEAKS ON THE CCPA

The California legislature finally passed amendments, and now the new privacy law is creeping ever closer.

By Alan Friel

ON SEPTEMBER 13, literally the last day of the 2019 California legislature, six amendments to the California Consumer Privacy Act (CCPA) were approved by lawmakers. Now they move to the desk of Governor Gavin Newsom, who must sign or veto these bills by Oct. 13. Before that deadline, the California Attorney General’s office is expected to publish a first draft of the regulations implementing the new law—probably in late September or early October. And the CCPA goes into effect on Jan. 1, 2020.

    If the bills become law, they will clean up some of the vague language that has been much criticized since the CCPA was rushed through the legislature in June 2018. Among the substantive changes, businesses will gain a welcomed one-year respite from much of the applicability of the CCPA to personal information (PI) when the information is collected from people who are not acting as consumers of household goods and services. The problem was that the CCPA uniquely defines “customers” as state income tax payers, which means that it swept up employee data from a company’s human resources department as well as communications involving business-to-business transactions.

    The proposed amendments also will require a business that collects and sells consumer PI, but does not have a direct relationship with those consumers, to register with the state as a data broker. In addition, the bills address the scope of PI that is covered by the act, the meaning of certain consumer rights (and how those rights are to be administered) and what training is required of personnel who will handle privacy inquiries and requests.

What the Amendments Say

Let’s take a few minutes to break them down. A.B. 25 provides that, until Jan. 1, 2021, only the precollection notice requirement and the private right of action for data security incidents will apply to PI that is collected by a business from a person acting as a job applicant, employee or contractor who is performing services under a written agreement. It will also clarify that a business need not collect PI it would not normally collect, or retain personal information it would not normally retain, just to be available to satisfy consumer rights. 

     A.B. 1355 provides a one-year delay in the imposition of obligations on a company that collects PI from a person acting on behalf of another business that provides or receives products or services to or from that company. It is important to note that this does not include communications when people are acting on behalf of themselves or other consumers, but rather only addresses business-to-business communications. In addition, AB 1355 clarifies that the standard for evaluating the value of PI to determine the reasonableness of financial incentives and differential pricing exemptions is the value to the business, not to the consumer. Also, if the bill survives, it will amend the Fair Credit Reporting Act to clarify that the FCRA applies only to PI furnished to credit reporting agencies to the extent that such information is subject to regulation by the FCRA and is not used, communicated, disclosed or sold except as authorized by the FCRA.

     A.B. 874 amends the definition of “publicly available information,” which is deemed not to be PI regulated by the CCPA, by removing the government-purpose limitation. Currently, the CCPA does not apply the exception if “the data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records.” If this bill becomes law, all that will be required to take data out of the scope of the CCPA’s rights and obligations is to show that it is lawfully made available from federal, state or local government records and does not include biometric information collected by a business about a consumer without the consumer’s knowledge.

    At first this seems like a hole you can drive a Mack truck through--and maybe you can, if you want to take the time to establish the legal availability of specific pieces of specific consumers’ PI from public government publications and unrestricted data bases. However, most companies seem unlikely to do that—except for certain marketing and product data, where there is enough need to bother with the exception. (A less impactful exception is provided by AB 1146, which adds exemptions for certain vehicle information shared in connection with warranty repairs and recalls.)

    AB 874 also clarifies that deidentified information and aggregate consumer information are not PI. The bill would also add the word “reasonably” before “capable” as part of “capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” in the definition of PI.

    If A.B. 1564 becomes law, there would no longer be a requirement for a toll-free method of receiving consumer rights requests for a “business that operates exclusively online and has a direct relationship with a consumer.” However, how many major businesses are truly exclusively online? Don’t most have customer care, if not telemarketing, call centers? ‘

    Finally, a bill that had gone somewhat under the radar in recent months was rushed back into play and passed with the others. A.B. 1202 says that a business that knowingly collects and sells consumer PI, and lacks a direct relationship with those consumers, must register with the California AG, whose office would then publish the names and contact information of the registrants on its website. The intent of the law is to provide consumers with a way to identify businesses that may be collecting and selling their information, and to exercise their do-not-sell and other consumer privacy rights (e.g., to obtain a copy of the PI and/or request its deletion).

    Assuming California’s governor signs the bills in the coming weeks, they will provide some welcome clarifications of the law. But it will be up to the AG to provide further guidance, and the first draft should be coming soon—followed by a public comment period. So sharpen your pencils and stay tuned.

https://www.cyberinsecuritynews.com/ccpa-amended

Alan Friel is a partner at BakerHostetler, resident in California, and an adjunct professor at UCLA and Loyola Marymount Law School. He may be reached at [email protected].