Jamie Nafziger and Divya Gupta, Dorsey & Whitney Partners
Businesses may receive a bit of breathing room as a result of two amendments to the California Consumer Privacy Act (CCPA) passed on Friday, September 13, 2019, by the California Legislature. The Legislature gave businesses a one-year moratorium on two significant aspects of the law: its application to employees, job applicants, owners, officers, directors, medical staff members, and contractors; and its application to business-to-business transactions. The Governor has until October 13, 2019, to sign or reject the amendments. Although the amendments provide some of the needed clarifications and error corrections and a significant break from needing to respond to certain data subject requests from employees and B2B contacts, businesses will still need to complete their data mapping (even for these categories of consumers) and will still need to be prepared to offer the rights not exempted on January 1, 2020, even if these amendments are signed by the Governor.
For those following the process, five bills passed the Legislature: AB 25, AB 874, AB 1146, AB 1355, and AB 1564. Proposed amendment AB 846 on loyalty programs was shelved. In addition to the two widely applicable amendments about employees and business-to-business transactions discussed in detail below, the Legislature also passed a number of minor or narrowly applicable amendments. The amendments amount to 98 pages of printed material. We will cover only the more significant of them in this article.
The employment-related amendments in AB 25 exempt businesses from many of the CCPA’s requirements for one year when applied to employees, job applicants, owners, officers, directors, medical staff members, and contractors “to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business” (emphasis added). The amendment also covers certain use of personal information in the context of emergency contact information and benefits administration.
If AB 25 is signed by the Governor, two CCPA requirements will still apply to these types of individuals when collected and used in this context: (1) the requirements to inform them about the categories of personal information collected and the purposes for which the personal information will be used in 1798.100(b) and (2) the right to sue in a private right of action after a data breach in 1798.150. This would mean the other consumer rights to deletion, access, opt-out of selling, and no price discrimination would not apply in this context for one year (until January 1, 2021). This will be a welcome change to most businesses, to the extent it gives them a break from the experience EU businesses have had responding to data subject requests from employees, ex-employees and job applicants in Europe since the General Data Protection Regulation (GDPR) became effective. Unfortunately, even if this amendment becomes law, businesses will still need to complete their data mapping and draft disclosures in connection with the information of employees, job applicants, owners, officers, directors, medical staff members, and contractors.
The business-to-business (B2B) moratorium in AB 1355 would exempt businesses from many of the CCPA’s requirements for one year when applied to “personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency” (emphasis added).
The B2B moratorium would not apply to collection or use of personal information outside of the context described in this amendment, to the right to opt-out of “selling” in 1798.120, to the price discrimination provisions of 1798.125, or to the right to sue in a private right of action after a data breach in 1798.150. If this amendment is signed into law, businesses will have a break until January 1, 2021, in the requirements of notice, deletion, access, information about onward disclosures, the opt-out link and the means for exercising consumer rights when it comes to B2B diligence or product/service provision or receipt. This means businesses would still need to complete their data inventories of information received in a B2B context, be prepared to respond to opt-out requests, and apply all other sections of the CCPA to uses of B2B personal information outside of the diligence or transaction itself (such as marketing uses).
Other important amendments include:
- Clarifications regarding authentication of data subject requests in AB 25;
- Changes to language regarding methods for submitting data subject requests in AB 1564;
- Changes to exempt certain vehicle-related information from the right to opt-out from selling in AB 1146;
- Changes to exempt certain warranty and product recall information from the right to deletion in AB 1146;
- Changes to the definition of “personal information” in connection with the reasonability of associating information with a particular consumer or household, with the definition of “publicly available,” and with the applicability to deidentified or aggregate consumer information in AB 874;
- Correction of errors in the price discrimination section 1798.120 about “value provided to the consumer” versus “value provided to the business” in AB 1355;
- Clarification regarding impact of encrypting and redacting personal information on civil right of action in AB 1355;
- Changes to the exemption regarding consumer credit and related information in AB 1355; and
- Error corrections in 1798.110(c) regarding privacy notice requirements and in 1798.115(a)(2) regarding right to know in AB 1355.
If these amendments are signed by Governor Newsom by October 13, 2019, they will provide a one-year extension in connection with some provisions of the CCPA. However, the majority of the provisions related to consumer privacy will still be in effect. No fundamental rights have been removed from the CCPA. Businesses will need to continue their compliance efforts with focused intensity over the next several months. We will provide updates regarding the Governor’s actions and the California Attorney General’s regulatory guidance as they become available.
The completed legislative session gives businesses a clearer understanding of the CCPA’s obligations (subject of course to signature by Governor Newsom). For those companies not previously required to comply with the European Union’s GDPR, this may pose significant operational and technical challenges. Dorsey has developed fixed fee packages to help clients on their CCPA compliance journey, a simple screening tool which is publicly available to help companies understand whether the CCPA affects them, and a more comprehensive online self-assessment tool for our clients, which can be requested by emailing Dorsey at CCPA.Assessment@dorsey.com.