California Lawmakers Finalize the California Consumer Privacy Act … at Least for Now

With only four months until the Jan. 1, 2020, effective date for the California Consumer Privacy Act (CCPA), on the very last day of the 2019 legislative session (Friday, Sept. 13, 2019) the California State Legislature sent two noteworthy amendments to Governor Newsom for signature. After months of negotiation, it appears virtually certain that AB 25 (regarding California-based employees) and AB 1355 (B2B moratorium and technical corrections) will become law. While the basic framework of the CCPA remains intact, these amendments potentially impact the nature, scope, and timing of CCPA compliance for thousands of businesses, service providers, and third parties.

Businesses With California Personnel Get a Temporary Reprieve

Businesses with employees, owners, directors, officers, medical staff members, contractors, or job applicants who reside in the state of California will likely benefit from AB 25. With limited exceptions, AB 25 exempts from the CCPA certain  personal information collected by a business about these individuals until Jan. 1, 2021. This moratorium applies to such personal information to the extent collected and used by the business solely in the context of (i) the individual’s current or former role with the business, (ii) having an emergency contact on file, or (iii) administering benefits.  

The CCPA does not apply to personal information that falls within AB 25, with two exceptions:

• Businesses are required to provide notice “at or before the point of collection” regarding the categories of personal information to be collected, and the purposes for which each category of information will be used (Sec. 1798.100(b)). Subsequent to providing notice, businesses are restricted from collecting any additional categories of information, or using personal information for additional purposes, without providing the individual with further notification that is “consistent” with applicable provisions of the CCPA.     
• California residents retained the right to institute a civil action against a  business (in this case, their employer) for damages arising due to unauthorized access and exfiltration, theft, or disclosure of their personal information  (Sec. 1798.150) that results from the business’s failure to “implement and maintain reasonable security…appropriate to the nature of the information.” Individuals, who are relieved from any obligation to prove damages, are eligible for statutory damages ranging from $100 to $700 per individual, per incident.  

While the moratorium regarding application of the CCPA to California-based employees is arguably the most important aspect of AB 25, the amendment also provides guidance on verifying and responding to consumer requests for access to or deletion of their personal information. As originally adopted, the CCPA essentially left verification standards largely to the discretion of businesses. According to AB 25, businesses should adopt an approach to verification that is “reasonable in light of the nature of the personal information requested.” Consumers cannot be required to create an account with the business to exercise these rights. An account holder, however, may be required to submit requests for access or deletion through the account. 

The CCPA requires businesses to provide two or more methods for consumers to submit requests for access or deletion, including, at a minimum, a toll-free phone number. In a concession to businesses that operate exclusively online and have direct relationships with consumers from whom they collect personal information, under AB 25 such businesses are only required to provide an email address for such requests.

A Moratorium for B2B Businesses

Business contact data constitutes personal information under the CCPA. In practice, this means that the contact information provided by other business entities is entitled to the same protections as personal information regarding an individual consumer. For B2B businesses, applying the CCPA to contact information collected about employees, owners, directors, or contractors of customers, prospects, service providers and other business entities presents new challenges, especially for businesses that are not subject to the EU’s General Data Protection Regulation, which includes similar requirements.    

With limited exceptions, AB 1355 effectively grants B2B businesses a one-year moratorium from applying the CCPA to certain business contact data. Personal information that falls within the moratorium must meet two criteria: (1) the personal information reflects a written or verbal communication or a transaction between the business and an individual acting as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency, and (2) the communication or transaction must occur solely within the context of the business conducting due diligence regarding, or providing or receiving, a product or service to or from such entity.  At first glance, a B2B business might assume that most, if not all, of the personal information that it collects regarding business contacts is exempt. In reality, AB 1355 focuses on just two of potentially dozens of interactions between businesses and other entities.  The functions identified are relatively narrow (conducting due diligence and providing/receiving a product or service), and the drafters failed to clearly define their scope. Businesses that collect business contact data in other contexts such as lead generation, data brokers, marketing, sales, and other common activities should proceed with caution. It’s critical to understand and document the sources of business contact data, and precisely how such personal information is ingested by the business, before relying on this moratorium. 

There are also two explicit exceptions to the one-year moratorium on applying CCPA rights and obligations to business contact data:

• The consumer’s right to opt out of a sale of personal information (Section 1798.120) remains intact.
• The business is required to comply with  relevant provisions on nondiscrimination that are intended to protect consumers who elect to exercise their rights under the CCPA (Section 1798.125). Businesses should carefully review their business model, including the nature, scope, and timing of incentives, and track results to substantiate their compliance with this clause.  

AB 1355 also clarifies that an individual’s right to initiate a civil action against businesses that experience an incident of unauthorized access and exfiltration, theft or disclosure of personal information may only be undertaken if such personal information is either “nonencrypted” or “nonredacted.” Businesses that are working toward CCPA compliance now have a choice of whether to encrypt or redact personal information as a defense against individual civil claims brought under the CCPA. This approach is also consistent with certain other data breach statutes across the United States.

What’s Next for the CCPA?

With these amendments, California lawmakers have concluded their work on the CCPA until the next legislative session in 2020. The California attorney general is tasked with issuing regulations under CCPA (SB 1121), which are currently slated for release by July 1, 2020. Thus, for the immediate future, the current version of the CCPA (with these amendments) is the blueprint for compliance.

These amendments provide only a temporary reprieve, until Jan. 1, 2021. Lawmakers and lobbyists hoping to extend these and other moratoriums or to revive failed amendments will make their case in the next legislative session. Assemblywoman Autumn Burke, sponsor of failed AB 846 regarding customer loyalty programs, has already publicly announced her intention to bring the bill back to the bargaining table at the earliest possible opportunity. 

Still, for companies already in the trenches with their CCPA compliance efforts, these recent amendments may present a welcome opportunity to shift priorities. In particular, B2B businesses or businesses with California-based employees should view these changes as an opportunity to revisit and perhaps realign CCPA compliance programs to take advantage of the longer lead time. And for the many companies that have been taking a wait-and-see approach to the CCPA, now is the time to set the compliance gears in motion.