California Amends CCPA, Adopts Data Broker Law

During the final days of the 2019 legislative calendar, California lawmakers passed several bills to amend the California Consumer Privacy Act (CCPA). If signed into law by the governor, the bills make the following substantive changes and clarifications:

  • Employee information. Provides a partial CCPA exemption for information a business collects from job applicants, employees, and independent contractors — and their emergency contacts and beneficiaries — if the business uses it solely within the context of these relationships. The exemption expires January 1, 2021 and does not apply to CCPA’s point of collection disclosure requirements or the private right of action for data breaches.
  • Definition of personal information. Limits the definition of personal information to information that is “reasonably” capable of being associated with a consumer or household. The concept of reasonableness was partially, but not fully, covered under the prior definition.
    • Deidentified or aggregate information. Clarifies that deidentified or aggregate information is not personal information. The law previously contained a typo that excluded such information from the definition of “publicly available” instead of “personal information.”
    • Publicly available information. Redefines “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The law no longer requires the business to use the information solely for the purpose for which the government made the information available.
  • Verifiable consumer requests. Authorizes businesses to require authentication of each consumer that is reasonable in light of the nature of the personal information requested, including verification through the consumer’s account if he or she maintains one. Although likely required previously, the bill specifies that the Attorney General must establish rules and procedures on how to verify consumers’ identities before providing specific pieces of personal information.
  • Intake procedures for consumer requests. A business that operates exclusively online may now require consumers with whom it has direct relationships to submit CCPA requests through a dedicated email address rather than by phone. Clarifies that a business need not accept consumer requests online if the business does not maintain a website.
  • Exemptions. Amends, creates, or clarifies various CCPA exemptions, including:
    • Business-to-business exemption. Provides a partial exemption for information collected from owners, officers, directors, employees, and contractors of a business in connection with communications or transactions with that business. The CCPA’s anti-discrimination and sales opt-out requirements still apply to this information and individuals may still bring lawsuits if their information is subject to a data breach. The exemption expires on January 1, 2021.
    • FCRA exemption. Clarifies the scope of the exemption for activities that are subject to regulation under the Fair Credit Reporting Act. Additionally, the FCRA exemption no longer applies to the CCPA’s private right of action.
    • OEM-dealer exemption. Exempts information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer if shared for warranty or recall purposes. The exemption does not apply if the recipient of the information shares or sells it for other purposes.
  • Anti-discrimination. Clarifies that businesses may charge consumers a different price for goods or services if that difference is reasonably related to the value provided to the business by the consumer’s data. The prior version incorrectly stated that the exemption applied if the difference was related to the value provided to the consumer.

In addition to these CCPA amendments, the legislature also passed AB 1202, which requires businesses to register with the state on or before January 31st following each year in which they meet the definition of “data broker.”  The bill defines data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship”— though it exempts consumer reporting agencies, financial institutions, and entities governed by the insurance code.