Late last week heralded two significant and highly anticipated updates to the California Consumer Privacy Act (CCPA).
On October 10, 2019, the Office of the California Attorney General issued a long-anticipated Notice of Proposed Rulemaking Action regarding the CCPA. The full text of the proposed regulations can be found here. The next day, Governor Gavin Newsom signed all seven amendments to the CCPA that came out of the California State Assembly.
This post will address the statutory amendments first since they modify the CCPA itself, then turn to the draft regulations (officially, the “California Consumer Privacy Act Regulations”).
CCPA Statutory Amendments
The new statutory amendments cover a broad range of topics.
Five New CCPA Exemptions/Exclusions:
Assembly Bill 25
Under Assembly Bill 25, there is a one-year exemption under which the CCPA will not apply to the collection of personal information from job applicants, employees, and contractors. It is expected that the legislature will likely address these categories of information in 2020. Our previous coverage on AB 25 can be found here.
Assembly Bill 874
Assembly Bill 874 modifies the definitions of “publicly available” and “personal information” contained in the CCPA to exclude aggregated or de-identified consumer information, including information gathered from delineated public records.
Assembly Bill 1355
Similarly, Assembly Bill 1355 exempts aggregated or de-identified consumer information from the definition of personal information. It also creates a one-year exemption for many kinds of B2B data, and expands an exemption for compliance with the Fair Credit Reporting Act (FCRA).
Assembly Bill 1146
Assembly Bill 1146 exempts vehicle repair information that is retained or shared for purposes of a warranty or recall from the CCPA’s right of deletion. This is a narrow exception, but important to protecting the integrity of vehicle history reports and vehicle manufacturers’ warranty databases.
Assembly Bill 1564
Finally, although most businesses are required to provide two methods for consumers to submit requests for information (e.g., a toll-free number plus another means), Assembly Bill 1564 allows online-only businesses that have a direct relationship with their customers to provide a single way to submit requests. That single method of contact may be an email address.
Other CCPA Amendments:
Registration Requirement for Data Brokers: Assembly Bill 1202
Under Assembly Bill 1202, data brokers must register with the California Attorney General. The Bill includes a definition of “data broker,” which as others have noted, is not necessarily as precise as it could be. AB 1202 also provides that the information provided by data brokers will be made publicly available on the Attorney General’s website.
Expansion of Data Breach Notification Requirement : Assembly Bill 1130
Assembly Bill 1130 revises the definition of “personal information” to include unique biometric data and government identification numbers (e.g., tax identification numbers, passport numbers, etc.). The amendment also requires data breach notices to include instructions for consumers on how to notify other entities that use these types of data for authentication purposes of the breach.
Proposed CCPA Regulations
The current set of proposed regulations contain many highly detailed rules, and may require some companies that tried to get a head start on compliance to revisit the steps they have already taken to make sure they comply with the new regulations as well as the statutes. (So much for trying to get ahead!)
Broadly, the proposed regulations cover the following:
Notices to Consumers
Section 999.305 contains a number of “general principles” applicable to the notices required to be provided to consumers at the time personal information is collected—e.g., use “plain, straightforward language” and make notices available in the languages in which the company ordinarily does business. The rule also prescribes specific information, such as the categories of personal information to be collected, that must be included in the notice. The remainder of Article 2 (§§ 999.306, 999.307, and 999.308) provides similar instructions regarding the contents of notices of the right to opt out, notices of financial incentive, and privacy policies, respectively.
Processing and Review of Consumer Requests
Article 3 (§§ 999.312–999.318) consists of a detailed set of rules that essentially create a standard by which businesses are to handle consumer requests under the CCPA. These requirements are far too numerous (and detailed) to cover in this format, but this is one area where businesses that have already started building out a framework for handling requests should make sure what they have done so far fits what the regulations now require. Beware that there are also some rules relating to service providers lurking in § 999.314. Section 999.317 includes training and record-keeping requirements, including several applicable to data brokers.
Verification of Consumer Requests
Article 4 (§§ 999.323–999.326) creates a set of rules to govern how businesses verify the identities of consumers who submit requests under the CCPA. In some circumstances, a business may use existing account authentication measures to verify the identity of the person making the request. If, however, the consumer does not have a password-protected account with the business, the business will need to match pieces of personal information provided by the consumer with personal information on file. How much information is needed depends on the nature of the request.
Consent for Minors
Article 5 (§§ 999.330–999.332) contains a special set of rules applicable to consent for minors. The rules vary based on whether the minor is under 13 years of age or between 13 and 16 years of age. The regulations apply in addition to the parental consent rules of the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501, et seq.
Article 6 (§§ 999.336–999.337) provides instruction on how to comply with the non-discrimination provisions of the CCPA, including guidelines on how to calculate the value of consumer data.
The regulations include a host of definitions in addition to those contained in the CCPA itself, as well as some “illustrative examples.” These examples are not particularly detailed or numerous, but they do provide insight into how the AG is thinking about enforcement of the CCPA.
The public comment period on the proposed regulations closes December 6, following open hearings to be held in Sacramento, Los Angeles, San Francisco, and Fresno on December 2–5. (Details are contained in the Notice of Proposed Rulemaking, available here.) The CCPA is set to take effect January 1, 2020.
More information about CCPA and how to comply can be found here.