Final 2019 Changes to the CCPA Are In! What You Need to Know…
The California Consumer Privacy Act of 2018 (“CCPA”), which goes into effect on January 1, 2020, continues to evolve in a number of important respects. Earlier this month, California’s Governor signed into a law a number of amendments to the CCPA, which clarify several important issues. Shortly before the amendments were signed into law, California’s Attorney General also issued proposed regulations to implement the CCPA. Although these proposed regulations are subject to change before they become effective, they elaborate on issues of interest to businesses working on CCPA compliance readiness. Following is a summary of several notable changes and proposals:
Some employers may breathe a sigh of relief – for now. Prior to the enactment of the recent amendments, the scope of “personal information” under the CCPA was so broad that it appeared businesses would have to implement full CCPA compliance measures with respect to data concerning their own employees, which some argued are not consumers, as that term is traditionally understood. After weighing this issue, California created an exemption from most CCPA requirements for the information of job applicants, owners, directors, officers, employees, and contractors of businesses subject to the CCPA. Notably, businesses that benefit from this exemption will still have to provide the foregoing employees and other parties with privacy notices and cannot collect or use their personal information beyond the scope outlined in such notices without providing further notice. Very importantly, this exemption will become inoperative on January 1, 2021, and it remains to be seen whether the California State Legislature will take further action to make this exemption permanent.
Due to the broad scope of “personal information” under the CCPA, businesses subject to the CCPA were also concerned that they would have to implement full CCPA compliance measures with respect to data concerning the staff members and contractors of their clients that they collected in the course of providing goods or services to such clients. Fortunately, the California State Legislature created a similar exemption for such business-to-business communications and exchanges of information in the context of providing or receiving products or services or conducting due diligence related to such transactions. This exemption is broader than the personnel exemption, as it also relieves businesses from providing a privacy notice at or before the point of collection. However, similar to the personnel information exemption, this exemption will become inoperative on January 1, 2021. It remains to be seen whether the California Legislature will make this exemption permanent, although it will simplify compliance efforts in the near term.
Among a number of other changes, the amendments also clarify the following:
- “Personal information” under the CCPA does not include de-identified or aggregate consumer information. The standards for meeting the definitions of “aggregate consumer information” or “de-identified” information under the CCPA are strict, but these clarifications may be helpful to some businesses.
- Certain vehicle information or vehicle ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer in connection with certain warranty or recall repairs is now exempt from the consumer’s right to opt out of a sale of personal information.
- The exemption for consumer credit reporting under the Fair Credit Reporting Act has been clarified and broadened.
- Businesses that operate exclusively online and have direct relationships with consumers are no longer required to have a toll-free number as one of their two methods for consumers to contact the business and can instead provide an email address for consumers to submit requests.
Navigating the AG’s Proposed Regulations
The proposed regulations expand upon and clarify a number of key issues in the CCPA and explain how the CCPA’s requirements should be implemented by businesses. Before final regulations are issued, interested parties may submit written comments or participate in public hearings throughout California. While we expect some changes in 2020, the proposed regulations, in their current draft, include guidance on the following issues:
- The type of notice a business must provide to consumers at or before the time it collects their personal information and where/how the notice must be provided
- How notices of consumers’ right to opt out of sale of their data must be provided, the statements to be made by businesses that do not sell consumer personal information, and the requirement to respond to consumer requests to opt out within 15 days
- Acceptable methods for allowing consumers to submit requests, including a toll-free telephone number and webform (if the business operates a website), as well as a designated e-mail address and forms to be submitted in person or through the mail
- A required two-step process for online consumer requests to delete information, which is designed to prevent unintentional deletions
- A new requirement that businesses confirm receipt of consumer requests to know or delete within 10 days and provide information on how they will process requests
- Specific types of information businesses must not submit to consumers for security reasons and specific standards for verification of consumer identity, including variations in verification standards based upon information sensitivity and situations in which a business may deny a request because it cannot verify identity
- Methods for deleting information in response to consumer requests
- Recordkeeping requirements with respect to responses to consumer requests
Chambliss will continue monitoring these and other developments in the information privacy area. Should you have questions about the Act or preparations for compliance, please contact Cal Marshall, Willa Kalaidjian, or any member of our Business Section.