And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
by guest blogger Tanya Forsheit
I am back to provide a post mortem on what many have portrayed – inaccurately – as a long and successful battle by business interests to gut the CCPA. The legislative session is over and, to the surprise of no one who was involved in those dealings in Sacramento over the last year, the CCPA has not changed much at all. It is easy for those who sought to expand the CCPA to claim that business was gutting it because there is no publicly available version of the law with all the changes in one place. There are many versions of various bills on the California legislature’s website, but they show only fragments of changes, which are often duplicative for procedural reasons. Making matters more complicated, the redlines available on the legislature’s site only show the most recent changes in a bill, not the cumulative changes. This is simply how legislative counsel creates the documents that are posted online – it has nothing to do with anyone trying to hide the process. Nonetheless, as a practical matter, it is nearly impossible to see what really changed.
I am tired of hearing so many people misrepresent what really happened, so I have created what I believe is an accurate master redline comparing the CCPA in its current form (in SB 1121) to the CCPA as amended by the bills that passed the legislature before the end of the legislative session on September 13 – AB 25, AB 874, AB 1146, AB 1202, AB 1355, and AB 1564. This version (in clean form) is what will be law effective January 1, 2020, if Governor Newsom signs these bills into law before October 13 (which he is expected to do). If anyone thinks I messed up this redline, please don’t hesitate to let me know. I want to get it right.
The redline is remarkably self-explanatory. Almost nothing of substance has changed in the CCPA, with the exception of a number of narrowly tailored and, in some cases, self-destructing exemptions to particular requirements of the law.
Business did not gut the CCPA. Business got almost nothing despite a tireless, months-long effort to reach consensus with privacy advocates on reasonable changes to the law – changes that actually would have made it easier for businesses to comply, and therefore would have made the law more protective of consumers. But none of that was to be. Bygones.
Let’s look at what actually changed in substance. The following is a high level summary. You can find the actual guts in my redline.
- There is a new narrow exception to the deletion right if a business needs the information in order to fulfill the terms of a written warranty or product recall conducted in accordance with federal law (Section 1798.105(d)(1)) (added by AB 1146)
- The disclosure right clarifies that a consumer has the right to request specific pieces of information that a business has collected about him or her (they don’t automatically get it, but they have the right to request it) (Section 1798.110(c)(5)) (added by AB 1355)
- A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests for information required to be disclosed (instead of a toll-free number). (Section 1798.130(a)(1)(A) (added by AB 1564)
- A business may require authentication of a consumer that is reasonable in light of the nature of the personal information requested, and if the consumer maintains an account with the business, the business may require the consumer to submit the request through that account. (Section 1798.130(a)(2)) (added by AB 25)
- The word “reasonably” has been added in front of “capable of being associated with” a consumer or household in the definition of “personal information” (Section 1798.140(o)(1)) (added by AB 874)
- Any information that is lawfully made available from federal, state, or local government records is now “publicly available” and not “personal information,” regardless of how that information is used (Section 1798.140(o)(2)) (added by AB 874)
- The existing exemption for purposes of information processing that is already strictly regulated by the Fair Credit Reporting Act (the “FCRA”) is clarified. Specifically, the CCPA does not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, by a furnisher of information, who provides information for use in a consumer report, and by a user of a consumer report. The exemption does not impact a consumer’s ability to bring a private action against a business for a data breach involving such information (Section 1798.145(d) (added by AB 1355)
- A narrow industry-specific exemption from the “do not sell” requirements for vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose. (Section 1798.145(g)) (added by AB 1164)
- A long anticipated exemption, which will expire after only one year on January 1, 2021, for personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as one of the foregoing. This exemption also covers emergency contact information of such individuals and information used to administer benefits for another natural person relating to such individuals. All of these individuals nonetheless retain their rights to be informed of the categories of personal information to be collected and the purposes for which the categories of personal information shall be used by the business. And these individuals retain their right to bring a private action for a data breach. (Section 1798.145(h)) (added by AB 25).
- A much needed clarification that the law does not require a business to collect personal information that it would not otherwise collect in the ordinary course of its business or retain personal information for longer than it would otherwise retain such information in the ordinary course of its business (Section 1798.145(l) (added by AB 1355)
- A narrow exemption from only certain aspects of the law, which also expires after one year, for personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such entity. The exemption does not apply to the “do not sell” provisions or the non-discrimination provisions, and has no impact on such individuals’ ability to bring a private action for a data breach (Section 1798.145(o) (added by AB 1355)
- A clarification that the Attorney General may adopt additional regulations to establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns. I speculate that this was done in order to address the very significant concerns of businesses that someone in a household will be able to seek copies of information of other individuals in a household, creating privacy and safety risks. It is a mystery to me why the word “household” was not simply dropped from the definition of personal information since both business and privacy advocates took issue with that word. (Section 1798.185(b)(1)) (added by AB 1355)
- Finally, in a last minute surprise, a brand new law (not really a part of the CCPA, but tagged on the end) requiring “data brokers” to register with the Attorney General, very similar to Vermont’s existing law. “Data broker” is defined to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. It does not include entities already regulated by the FCRA, the GLBA, or California’s Insurance Information and Privacy Protection Act. By comparison, Vermont defines a “data broker” as a business that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. The major difference from Vermont lies in the much broader definitions of “sell” and “personal information” found in the CCPA, cross-referenced in this provision (Section 1798.99.80 et seq.) (added by AB 1202)
And that’s all she wrote.
* A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
* Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
* Recap of the California Assembly Hearing on the California Consumer Privacy Act
* A Status Report on the California Consumer Privacy Act
* 41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
* California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
* Recent Developments Regarding the California Consumer Privacy Act
* The California Consumer Privacy Act Should Be Condemned, Not Celebrated
* A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
* Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
* A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
* An Introduction to the California Consumer Privacy Act (CCPA)