Companies across the United States have spent the last year grappling with the California Consumer Protection Act, codified beginning at Cal. Code Civ. Proc. § 1798 (CCPA), which goes into effect in many respects on January 1, 2020 and provides expansive new privacy rights to California consumers.
As we explained in more detail in Part I and Part II of our initial CCPA review, because of the broad scope of the law, companies located outside California are reviewing the law’s baseline criteria to determine if the business they do with California consumers will require CCPA compliance. That scope, combined with the operational difficulties in restricting the new privacy protections only to Californians, means that California-based companies are not the only ones thinking about the CCPA. However, companies aiming to comply with the CCPA got some much needed clarity and temporary reprieve in the form of several California Assembly bills amending the CCPA.
On September 13, 2019, the California Assembly passed five amendments, which include a one-year delay in applying most of the CCPA requirements to two significant sources of personal information:
- Personal information collected for purposes of an employment or similar relationship (AB-25).
- Personal information collected and used in business-to-business communications and transactions (AB-1355).
This article explores the effects of these amendments.
Learn more about the CCPA and continued evolution of U.S. privacy protections across the 50 states (and DC),
by registering for our upcoming cybersecurity webinar. The webinar will be held on
November 13, 2019 from 12:00 p.m. – 1:00 p.m. (EDT). Register here.
As initially adopted, whether employees were considered “consumers” whose data are protected by the CCPA was unclear. In AB-25, the Legislature clarified its intentions – or kicked the can down the road.
Under the bill, personal information that a business collects and uses solely in the context of the person’s role as a current or former job applicant, employee, owner, director, officer, medical staff member, or contractor, and their emergency contacts and plan beneficiaries (Employee) is exempt from most of the CCPA’s requirements for one year. However, AB-25 provides some major caveats:
- First, the amendment merely delays the application of the CCPA to Employee data until January 1, 2021. And, because the law will require, as of that date, that businesses disclose data collected during the prior 12 months upon request, a business will still be required to trace the categories of Employee information being collected back to January 1, 2020 absent further deferral or exemption by the Legislature.
- Second, the employee data carve-out applies only when the business uses the data for employment relationship purposes. A business will still need to comply with the disclosure, right to opt-out of sales of personal information, and other CCPA requirements if it uses an Employee’s data to, for example, market goods and services to them or where the business is otherwise using the data to interact with the individual not as an employee but as a normal consumer.
- Third, the Employee data carve-out does not prohibit an employee from filing a private civil right of action provision for data breaches involving his or her data.
- Finally, businesses are still required to inform Employees about the categories of data collected about them.
- When implementing procedures to respond to consumer’s requests to exercise their rights under the CCPA (e.g., disclosure of personal data collected), businesses should ensure that employees are also permitted to exercise the full suite of CCPA rights for data used for marketing or other non-employment purposes. For example, assuming that the CCPA does not apply to data simply because it resides in an “employee” database would be improper. Understanding the data’s use is key.
- In time for January 1, 2020, businesses should identify ways in which they market goods and services to their own employees and the ways the business shares this personal information with third parties that, in turn, may use the information for commercial purposes.
- Businesses should continue monitoring categories of personal information collected about employees, to ensure that this information can disclosed to employees starting January 1, 2020, if necessary.
- Businesses should be alert to the possibility that they may need to provide employees with the full suite of CCPA rights related to all the employees’ data starting January 1, 2021, when the carve-out is set to expire.
With AB-1355, the Legislature broadened the scope of exemption for personal information collected in the business-to-business context:
- Communications in the context of business-to-business transactions (exempt for a one-year period).
- Credit inquiries/reporting to the extent these activities are subject to the Fair Credit Reporting Act, 15 U.S.C. § 1681 (FCRA).
Neither of these exemptions will block an individual’s private right of action in the event of a data breach.
Like the carve-out for employee data, the inter-business exemption has a one-year sunset provision to allow the Legislature time to more broadly consider – and privacy advocates and businesses to debate – what protections should apply in the business context.
In short, AB-1355 provides that personal information is not subject to the CCPA’s requirements when:
- the personal information relates to a consumer who is an employee, owner, director, officer, or contractor of a business (Representative); and
- the information relates to a communication or transaction between that Representative and a third-party business; and
- the third-party business is engaged in the communication or transaction solely for the purpose of either (1) conducting due diligence about the consumer’s business, or (2) providing/receiving goods or services to the Representative’s business.
There are some important caveats about the carve-out for business-to-business exchanges.
- First, as written, the carve-out only explicitly applies to information about the representatives affiliated with one of the businesses engaging in the transaction or communication. While some commentators have suggested that the carve-out could also apply to any data that is provided by the Representative in the context of due diligence (for example, customer lists, purchase history, etc. related to other consumers but provided by an employee to the third-party business), the carve-out does not appear on its face to be so broad.
- Second, the California Senate analysis of the bill indicates that one purpose of the exemption is to prevent an employee of one business to assert privacy concerns to stop a second business from conducting a due diligence investigation of the employee’s business.
The FCRA-related amendment does not contain the one-year sunset to allow for re-examination by the Legislature. This amendment permanently broadens the original CCPA provision by exempting “any [FCRA-regulated] activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by specified parties, including a consumer reporting agency, as defined.” This exemption covers credit reporting agencies and businesses that qualify as either a furnisher or user of consumer reports under FCRA.
- For businesses: This is really a “wait and see” situation. Europe’s General Data Protection Regulation (GDPR) does not exempt business-to-business exchanges of business contact or similar business-only personal data from the rigorous protections of the GDPR. Companies that exchange data solely in the context of business-to-business transactions should keep an eye on whether the California legislature makes the B2B carve-out permanent, or follow the GDPR example and regulate how this type of information is protected.
- For individuals: The FCRA exemption reinforces the importance to consumers of freezing their credit reports and regularly reviewing them. Because this information will continue to move freely among business users, consumers should use all available tools to protect themselves against identity theft.
In addition to the two major exemptions/deferrals discussed above, the five new CCPA amendments also brought about a number of other changes and much needed clarifications. These include (among others):
- Clarifying that unintended disclosure of de-identified and aggregate consumer information cannot be the basis of a data-breach lawsuit.
- Allowing businesses to provide incentives to consumers who voluntarily provide their information, so long as the incentives are reasonably related to the value to the business of data provided.
- Requiring data brokers (companies that do not have a first-party relationship with the consumer) to register with the California Attorney General.
- Allowing a business to require consumers to submit requests through pre-existing accounts maintained with the business.
- Allowing internet-exclusive businesses to provide an email address (versus telephone number) for consumer requests.
These amendments came at the close of the California’s 2019 legislative session and California Governor Gavin Newsom has until October 13, 2019 to sign these amendments. His office has been silent since their passage, but, based on his broad support for the CCPA and consumer rights, it is expected he will sign them all into law.