October brought three new developments to California’s comprehensive data privacy law, the California Consumer Privacy Act (“CCPA” or “Act”). First, the state enacted a series of amendments to the CCPA that both clarify ambiguities and create new exceptions. Second, we learned that the organization whose 2018 ballot initiative pushed California to enact the CCPA is planning to introduce another data privacy ballot initiative in 2020. Finally, California’s Attorney General published draft regulations for notice and comment.
Here we focus on the first two developments: the CCPA Amendments and the 2020 ballot initiative.
California’s legislative session ended on September 13, 2019, and the state managed to enact a slew of amendments to the CCPA before the session’s close. These amendments include four notable exceptions to the Act, changes designed to clarify businesses’ operational requirements, an amendment clarifying the definition of “personal information,” and the creation of a data broker registry.
The amendments include several provisions designed either to clarify the scope of existing exceptions to the Act or to create new exceptions. The most notable new exceptions include the following:
- Excepting certain “business to business” communications, in which a California resident communicates with a business in the resident’s capacity as an employee, manager, or owner of another business. This provision sunsets on January 1, 2021.
- Broadening (or at least clarifying) the CCPA’s existing exception for consumer reporting agency information that is subject to the federal Fair Credit Reporting Act.
- Excepting information relating to employees and job applicants from the CCPA. This provision sunsets on January 1, 2021.
- Excepting, from the right to “opt out” of third party sales, “vehicle information” and “owner information” shared between a new vehicle dealer and a manufacturer. This exception only applies to information about a vehicle and the vehicle’s owner that is used for purposes of a warranty or a recall.
The amendments also help to clarify some of the operational changes businesses may need to make to comply with the Act. While the Attorney General’s draft regulations provide additional clarity on this front, the amendments are welcome news for businesses that are (wisely) not waiting for final regulations to start their CCPA compliance efforts. These amendments:
- Allow businesses to require consumers to login to accounts, if they already maintain accounts, before disclosing personal information pursuant to a consumer’s request for information. In short, this amendment clarifies that businesses can require account holders to login as part of the process for verifying an account holder’s identity. Businesses still cannot require a consumer to create a new account, if they do not already have an account, as a condition for receiving requested information.
- Permit businesses that operate exclusively online and have a “direct relationship” with a consumer to provide only an email address, instead of both an email address and a phone number, for making requests related to the consumer’s personal information.
- Specify that nothing in the CCPA requires businesses to retain personal information longer than they otherwise would.
The amendments further clarify that “personal information” does not include de-identified or aggregated consumer information, at least insofar as the de-identified or aggregated information cannot reasonably be re-identified with a consumer. Many practitioners were already interpreting the CCPA’s definition of personal information to exempt de-identified and aggregated information, and this amendment confirms that interpretation.
Data Broker Registry
Finally, the amendments require “data brokers” to register with the Attorney General and pay a fee. The Attorney General is then required to create a public database of registered data brokers. The term “data broker” is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The term does not include consumer reporting agencies, financial institutions covered by the Gramm-Leach-Bliley Act, and entities covered by California’s Insurance Information and Privacy Protection Act.
Eye Toward 2020: The California Privacy Rights and Enforcement Act
In 2018, Californians for Consumer Privacy crafted a consumer privacy ballot initiative that was widely expected to pass in California. At the 11th hour, the group struck a compromise with the California legislature and agreed to pull the ballot initiative in exchange for the legislature enacting the CCPA. Two years later, the consumer privacy group is back at it, this time with a ballot initiative designed to strengthen the CCPA’s consumer protections. The “California Privacy Rights and Enforcement Act of 2020” would revamp the CCPA to add new protections for “sensitive personal information,” create new disclosure requirements surrounding automated decision-making, establish a new agency to enforce the law, and more. In a letter announcing the ballot initiative, Californians for Consumer Privacy’s Founder Alastair MacTaggart explained that the ballot initiative would:
- “Create new rights around the use and sale of sensitive personal information, such as health and financial information, racial or ethnic origin, and precise geolocation.”
- “Provide enhanced protection for violations of children’s privacy by tripling CCPA’s fines for breaking the law governing collection and sale of children’s private information and would require opt-in consent to collect data from consumers under the age of 16.”
- “Require much-needed transparency around automated decision-making and profiling, so consumers can know when their information is used to make adverse decisions that impact lives in critical ways, including employment, housing, credit, and even politics.”
- “Establish a new authority to protect these rights, the California Privacy Protection Agency, which will simultaneously enforce the law and provide necessary guidance to industry and consumers, many of whom are struggling to protect themselves in an increasingly complex digital ecosystem, where hacking and identity theft remain a terrible problem.”
- “Protect our democratic processes by fixing election disclosure laws and requiring corporations to disclose whether, and how, they use personal information to influence elections.”
- “Most importantly, it would enshrine these rights by requiring that future amendments be in furtherance of the law . . . .”
We will be carefully monitoring this ballot initiative as November 2020 approaches to see whether it leads to another last-minute compromise with the California legislature or whether it becomes law.
The CCPA generally applies to companies with revenues exceeding $25 million that do business in California and collect California residents’ personal information. The term “does business” is not defined by the CCPA but likely encompasses companies transacting with California residents online even if the business lacks a physical presence in the state. Foley Hoag has a dedicated CCPA Compliance Team that can help you understand whether the CCPA applies to your business and what compliance obligations you may have under the Act.