The California Consumer Privacy Act (the “CCPA”), as initially passed, was the hastily-drafted alternative to an even more stringent ballot initiative, resulting in a seemingly endless list of open questions about how it would be interpreted and enforced. Since its passage on June 28, 2018, privacy pundits around the nation have opined about the meaning of the first domestic privacy regulation reminiscent of its European cousin, the GDPR.
In response, the California legislature entered its 2019 session considering a whopping 19 possible amendment bills to the CCPA. When the dust settled, seven of those bills were signed into law.
- AB-25. This amendment temporarily excludes employment (and similar) information from its scope, only until January 1, 2021. While in effect, this exclusion narrows the scope of the CCPA in a way that the GDPR does not. This is a particularly important amendment for business-to-business companies that do not interact with the personal information of California consumers.
- AB-874. This amendment also narrows the scope of the CCPA by excluding “publicly available information” from the definition of “personal information,” and clarifying that deidentified or aggregate information is “not personal information.” Similar carve-outs also exist in the GDPR.
- AB-1130. Though not a direct amendment to the CCPA, this bill follows the trend of a handful of other states to include biometric information in the definition of “personal information” with respect to a security breach. In other words, it requires businesses that incur a data breach impacting biometric data (such as fingerprints or facial recognition data) to notify such individuals and the California Attorney General of such a breach. In addition, any California consumers whose biometric data is compromised as a result of a data breach may be able to bring suit pursuant to the CCPA. Effectively, this bill expands a California consumer’s right to suit as provided by the CCPA.
- AB-1146. This amendment exempts vehicle and ownership data from a California consumer’s right to opt-out (AKA the ability for a consumer to limit the “sale” of personal information), and the right to deletion for the purpose of vehicle repair relating to a warranty or recall.
- AB-1202. This amendment requires data brokers to register with the California Attorney General.
- AB-1355. This amendment permits the differential treatment of a consumer if such treatment is reasonably related to the value of the consumer’s information to the business. Previously, the CCPA provided that businesses could offer a different rate, price, level or quality of goods or services if such treatment was reasonably related to the value to the consumer by the consumer’s data. The amendment also requires a business to make specific disclosures regarding a consumer’s right to access and right to deletion.
- AB-1564. As initially enacted, the CCPA required all businesses to provide two designated methods for a consumer to specify a request to access the personal data the business processes about the consumer, including, at a minimum, a toll-free telephone number and a website address if the business has one. This amendment clarifies that a business operating exclusively online is only required to provide an email address for submitting requests for information.
Through the seven bills signed into law, the California legislature addressed some but not all of the open questions resulting from the CCPA. The ways in which this law will be interpreted and enforced remain largely in flux, and additional amendments and clarifications can be expected. The California Attorney General will hold a series of hearings on December 3–5, 2019 and accept public comment until December 6, 2019. In addition, a new ballot measure called the California Privacy Rights and Enforcement Act has been proposed, which could significantly expand the scope of the CCPA. We will continue to watch these developments with great interest and report on them in this space.