Home > Insights > Blogs > Cybersecurity Bits and Bytes > Examining the six amendments to the CCPA awaiting Governor Newsom’s signature

Examining the six amendments to the CCPA awaiting Governor Newsom’s signature

The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. Although the statute will be effective in only a few short months, key amendments are still awaiting the Governor’s signature.

The California legislature recently passed six key amendments to the CCPA, which Governor Newsom has until October 13, 2019, to sign. Two key amendments exempt employee data and business-to-business (B2B) communications from many of the CCPA’s provisions.

Other amendments include a clarification of “publicly available” as it relates to a specific exemption for public information, a similar clarification regarding de-identified and aggregate data, and the addition of the term “reasonable” as it pertains to whether information can be associated with a particular consumer and therefore covered by the CCPA.

The key amendments are summarized below:

AB 25: Employee information

AB 25 provides that consumer information “collected from a natural person” who is a job applicant or employee will not be covered by the CCPA. This is one of several pro-business revisions.

Importantly, AB 25 exempts employee information only for a year, until January 1, 2021. And the exemption is not absolute. Companies must still inform employees what information is collected about them, and employees may still sue if they are impacted by a data breach.

AB 1355: Business communications

AB 1355 exempts B2B communications from some of the CCPA’s provisions. Specifically, AB 1355 excludes from the CCPA’s definition of personal information “written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.” The exemption, like the exemption for employee information, is only in place for one year.

This bill also provides additional clarifications and other technical amendments to a variety of provisions, including clarifying an exemption for information covered by the Fair Credit Reporting Act (FCRA) and specifying that the CCPA does not require businesses to collect personal information that they would not normally collect or retain it for longer than they otherwise would retain it.

AB 874: De-identified or aggregate information

AB 874 defines publicly-available information as information that is lawfully made available from government records. It also clarifies that personal information does not include consumer information that is de-identified or aggregate.

AB 874 also adds that personal information covered by the CCPA includes information that is “reasonably capable” of being associated with a particular consumer or household (as opposed to just being “capable” of being so associated). This is another pro-business amendment intended to narrow somewhat the statute’s very broad scope.

AB 1146: Vehicle ownership information

AB 1146 provides an exemption from the consumer’s right to opt out of the sale of his or her personal information with respect to vehicle ownership information shared between a new car dealer and the manufacturer for repairs covered under warranty or recall, provided that the dealer or manufacturer with whom the information is shared does not sell, share, or use that information for any other purpose.

AB 1202: Registry of data brokers

AB 1202 (which is not technically an amendment to the CCPA but a new bill) requires the Attorney General to create a publicly-available registry of data brokers on its website. A data broker is defined as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.

AB 1564: Contact points

The CCPA requires brick-and-mortar businesses to provide two contact points for consumers to submit requests for information, including a mandatory toll-free telephone number. AB 1564 provides that online-only businesses need only provide a dedicated e-mail address.

A number of amendments did not pass before the close of the legislative session. One amendment, AB 846, would have allowed companies to collect personal information for the purpose of loyalty programs without the practice being discriminatory under the CCPA. Other proposals would have increased exclusions pertaining to targeted advertising and fraud detection.

The Attorney General’s draft regulations, which will further clarify the CCPA’s provisions, are expected later this fall. And another ballot proposal further strengthening consumer privacy rights is also already in the works. With only a few months until the statute goes into effect, and with enforcement scheduled to begin mid-next year, covered entities would be wise to ensure they are well prepared.

Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about the California Consumer Privacy Act (CCPA). Jim Shreve is the chair of Thompson Coburn's Cybersecurity group. Libby Casale is an associate in Thompson Coburn’s Business Litigation group and holds CIPP/US certification.

The Supreme Court of Illinois does not recognize certifications of specialties in the practice of law, and the CIPP/US certificate is not a requirement to practice law in Illinois.