The California State Legislature (‘the Legislature’) passed, on 12, 13 and 14 September 2019, a series of bills related to and amending the California Consumer Privacy Act of 2018 (‘CCPA’) and ordered them to be engrossed and enrolled. In particular, the Legislature passed Assembly Bill (‘AB’) 25, which exempts from the CCPA’s application, until 1 January 2021, information collected by businesses from their employees or contractors, and AB 1355, that requires businesses to disclose to consumers that they have the right to request specific pieces and categories of information that have been collected about them, and allows businesses to require authentication of the consumer that is reasonable in light of the nature of the personal information requested.
Elliot Golding, Partner at Squire Patton Boggs (US) LLP, told OneTrust DataGuidance, “The Legislature had a multitude of amendments in consideration and only passed six bills. A lot of bills that were heavily supported by the industry did not pass (such as amendments clarifying the scope of loyalty programs), which suggests that lobbying efforts were not particularly successful. At this point, it seems unlikely there will be sweeping, material changes in the next term, either, at least pending the release of the California Attorney General (‘AG’)’s regulations and experience as companies come into compliance with the CCPA. The three most important changes are the one-year partial moratorium on CCPA applicability to certain employee data, the one-year partial moratorium on CCPA applicability to certain business-to-business (‘B2B’) data and the data broker registration requirement.”
In particular, AB 25 exempts from all provisions of the CCPA, except for the private civil action provision and the obligation to inform the consumer as to the categories of personal information to be collected, information collected from a natural person by a business in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business, as specified. Moreover, AB 1355 amends technical terms and exempts from the CCPA’s application, personal information reflecting a written or verbal communication or a transaction between the business and the consumer within the context of the business conducting due diligence or providing or receiving a product or service.
In the end, business got very little
Golding continued, “Under AB 25’s moratorium, a business must still provide notice to employees, agents, contractors and job applicants regarding the information collected and purposes for collection but does not have to honour individual rights requests (such as access, deletion, and sale rights). This ‘partial’ exemption lends itself to a lot of complex scenarios […] for example, if employee data is used for purposes outside of core employer-employee relationship functions (such as if an employer ‘sells’ the data), then such data might not be entitled to the partial exemption. AB 1355 (which is set to expire on 1 January 2021), partially excludes certain B2B information from most CCPA requirements [and] like with the partial exemption for employee data, the ‘partial’ nature of this exemption will raise complex questions at the margins, such as whether data ‘purchased’ to engage in cold call marketing remains subject to the exemption (probably not).”
The Legislature also passed AB 1146, which adds a product recall exception to the right of deletion regarding vehicle information, and AB 1564 which requires a business to make available a toll-free telephone number or an email address for specific information requests. Lastly, the Legislature passed AB 1202 requiring data brokers, which are defined as businesses that knowingly collect and sell to third parties personal information of consumers, with whom the businesses do not have a direct relationship, to register with the AG and provide certain information, including the name of the data broker and its primary physical, email, and internet website addresses as well as further information or explanation concerning their data collection practices.
Tanya Forsheit, Partner at Frankfurt Kurnit Klein & Selz PC noted, “There was a lot of discussion but in the end, business got very little, not even reasonable modifications like a standard for deidentification that would have aligned with the Federal Trade Commission standard or the removal of the term household from the definition of personal information (which puts consumer safety in danger). It remains to be seen how the AG interprets the scope of AB 1202, where the definition of data broker is very similar to the Vermont Data Broker Law. But the definitions of personal information and sale are much broader. Much of this comes down to the overbroad definition of sale, which has been problematic from the start in the CCPA.”
The California Governor, Gavin Newsom, has until 13 October 2019 to sign the bills into law.
NIKOS PAPAGEORGIOU Privacy Analyst