Observers have been watching the California Legislature in 2019 to see whether it would amend the 2018 California Consumer Privacy Act (the CCPA or the Act) prior to its effective date of January 1, 2020. The CCPA was passed in a rush in June 2018, and the deferred effective date was widely seen as intended to give the Legislature time to clean up errors and ambiguities in the language of the Act. The last date for the Legislature to address bills this session was Friday, September 13, so the Act, as it now stands, is what businesses should be planning to address.
Early in 2019, legislation (SB-561) was introduced at the urging of the California Attorney General to expand the Act’s private right of action. The CCPA, as enacted in 2018, allows private actions only when there has been an “unauthorized access or exfiltration” of personal information due to a business’s failure to “maintain reasonable security procedures.” SB-561 would have allowed private actions for statutory damages for violations of any of the Act’s provisions, such as the notice or disclosure requirements. It also would have done away with the obligation to give defendants notice and an opportunity to cure any violation prior to filing suit. That bill died in May 2019, to the relief of the business community, which had feared a massive expansion of class action risk if it passed. (Unfortunately, this fight is almost sure to be resurrected in future legislative sessions.)
Seven other bills made it out of committee in May, however, and five were passed on September 12 and 13, at the very end of the legislative session: AB-25, AB-874, AB-1146, AB-1355, and AB-1564. Collectively, they clean up some ambiguities in the Act’s language and provide relief to business in a few specific areas but do not change the overall scope or impact of the Act for most businesses.
Section 1798.140 of the Act lists a number of items carved out from its scope. New subsection (g)(1) added last week now excludes from the Act information obtained regarding a job applicant, employee, owner, director, officer, medical staff member, or contractor of a business, including emergency contact and benefits information, as long as the information is used in that employment context. This carve-out does not apply to demands for disclosure of information under section 1798.100 of the Act and does not eliminate damage claims for “unauthorized access or exfiltration” under section 1798.150. But it nonetheless is significant, in part because it eliminates a potential right employees might otherwise have had to demand deletion of their data.
New subsection 1798.140(m) of the Act excludes from most provisions of the Act information collected from a person who interacts with a business on behalf of his or her employer or other entity. However, claims for unauthorized access and exfiltration of information obtained about such a person may still be brought.
The bills passed last week also clarify the existing exclusion in subsection 1798.140(d) of the Act for consumer credit report information. But such information is also specifically made subject to claims for unauthorized access or exfiltration under section 1798.150. This is a change from the prior text, although some commentators believed that such information would be covered by section 1798.150 anyway
As modified by the bills passed last week, the definition of “personal information” now excludes in subsection 1798.140(o)(3), “deidentified” or aggregate information. In its original form, the Act did not clearly exclude those categories from the definition of personal information in all circumstances. The definition of publicly available information has also been streamlined to mean simply federal, state, and local government records. There is no longer any requirement that, to qualify as public information, the record must be used for a purpose consistent with the reason it was originally gathered. Based on the new language in subsection 1798.140(o)(2) if it is public information, it is outside the CCPA, no matter how it is used.
A similarly useful change is confirmation that the Act is about retention and handing of data. The bills passed last week now make clear that the Act does not impose on a business any affirmative duty to collect data it would not otherwise collect in the ordinary course of its business.
A technical change for motor vehicle information, while not important to most businesses, is important for automotive safety (and for avoiding conflicts with federal regulation). Information retained or exchanged between a dealer and a vehicle manufacturer regarding a vehicle or its owner for warranty purposes is now, under subsection 1798.145(g), outside the scope of the Act as long as it is used for warranty purposes. And information necessary to fulfill warranty or product recall obligations is exempt, pursuant to subsection 1798.105(d)(1), from deletion requests under section 1798.105.
Finally, the Act’s provisions regarding how consumers can make requests for deletion or disclosure of their data have been amended. Consumers having an internet account with a business may be required to make requests for disclosure or deletion using that account, and businesses that interact with consumers solely online need only provide an e-mail address to receive requests for disclosure or deletion of information instead of a toll-free number. These provisions will make it easier for businesses to validate and process requests to disclose or delete information.
Certain other proposed amendments to the CCPA did not pass. AB-846 would have clarified the “nondiscrimination” provisions of the act as they relate to customer loyalty programs. It was ordered to the “inactive file” on September 12, 2019. And AB-1281 would have enhanced the notice given to consumers that facial recognition software is being used on a business premises by requiring the posting of a sign stating that such technology is in use at the entrance to the location. This bill was ordered to the inactive file on September 10, 2019. Either of them could come back to life in the next legislative session.
The 2019 amendments to the CCPA described above are largely favorable to business because they clarify the Act, carve out specific conduct, or make compliance easier. But the amendments certainly did not address all issues that may create a need for companies to seek advice from their legal counsel on compliance with the Act.
For example, a better understanding of how businesses can compensate consumers for their data through incentive programs will have to await rulemaking by the Attorney General. This is expected to occur in the next three to nine months. And the ambiguities inherent in section 1798.150 concerning statutory damages still remain. Those ambiguities include the scope of the words “unauthorized access and exfiltration,” what constitutes “reasonable security measures” so as to avoid liability, and the operation of the “notice and opportunity to cure” provisions.
Companies should begin planning now, if they have not already done so, to comply with the Act when it goes into effect on January 1, 2020. The language of the Act today is the language the Act will have on that date. There is no reason to wait any longer to address it.