Locke Lord QuickStudy: California Legislature Amends CCPA and Creates Data Broker Registry

Friday, September 13, was the last day for the California State Legislature to pass legislation.  The bills passed included CCPA amendments that will next go to Governor Gavin Newsom for signature.  Governor Newsom has until October 13 to sign or veto the bills.  The following CCPA amendments are of particular significance: 

Temporary Exemption for Employees and Others (Assembly Bill 25) 

1. Exempts until January 1, 2021 the personal information collected by a business about job applicants, employees, owners, directors, officers, medical staff members, and contractors from all provisions of the CCPA, subject to two exceptions:  First, businesses will still need to inform such individuals, at or before the point of collection, of the categories of personal information to be collected and the purposes for which the categories of personal information will be used.  Second, such individuals will retain the private right of action granted by the CCPA (for unauthorized release of personal information resulting from the failure to maintain reasonable security measures). 
2. Clarifies that businesses may require consumers to authenticate their identity in a manner “that is reasonable in light of the personal information requested” and that, while businesses may not require consumers to create accounts for the purpose of submitting a request to exercise their privacy rights, businesses may require consumers who already have accounts to submit requests through such accounts. 

Narrowing of Personal Information (Assembly Bill 874)

1. Narrows the definition of “personal information” to be information that is “reasonably capable of being associated with, or could reasonably be linked to, directly or indirectly, with a particular consumer or household,” as opposed to any information that is capable of being associated with a particular person or household.
2. Narrows “personal information” by expanding the definition of “publicly available information.”  The current definition states that “[i]nformation is not ‘publicly available’ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.”  Assembly Bill 874 deletes this language, which would have limited the exemption for “publicly available information.”  

Exempting B2B Information, Further Narrowing “Personal Information,” and Expanding Notice Requirement (Assembly Bill 1355)

1. Exempts from most CCPA obligations the personal information of consumers who are acting as employees, owners, directors, officers, or contractors of an entity, and communicating with a business as part of a business transaction.  The exemption does not apply to the right to opt out of sales of personal information, or to the private right of action.  As the employee exemption mentioned above, this exemption expires on January 1, 2021.
2. Further narrows the definition of personal information to exclude consumer information that is de-identified or aggregated data.
3. Expands the notice provisions to require businesses to notify consumers of (i) their right to request the business disclose the categories and specific pieces of personal information collected about consumers, and of (ii) their right to request that the business delete their personal information.  

Reducing Burden of Consumer Requests (Assembly Bill 1564)
Provides that a business operating exclusively online, and that has a direct relationship with a consumer “from whom it collects personal information,” may provide an email address for submitting consumer requests, instead of providing “two or more designated methods for submitting requests for information . . ., including, at a minimum, a toll-free telephone number.”  

Data Broker Registry (Assembly Bill 1202)
Lastly, although not an amendment to the CCPA, the legislature passed a related bill that would require “data brokers” to register with the California Attorney General.  In doing so, data brokers must provide the Attorney General their contact information as well as information they choose to provide about their data collection practices.  The Attorney General must then post the information it receives on its website.  A previous version of the bill would have required data brokers to provide consumers all rights afforded by the CCPA, and did not contain the CCPA exemptions for small businesses, but this provision was removed from the final bill.  

Subject to exceptions for consumer reporting agencies, financial institutions, and entities covered by the Insurance Information and Privacy Protection Act, a “data broker” is a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”  Although the bill does not define the term “direct relationship,” it states that consumers may form direct relationships with a business by visiting its premises or website, or affirmatively and intentionally interacting with its online advertisements.  A data broker that fails to register is subject to injunction and civil penalties of $100 per day. 

Also contributing to this QuickStudy: Junhan Zhang, a law student at The University of Connecticut School of Law.