Blog
Although scheduled to end on Friday, September 13th, the California State Legislature was not able to conclude its business for the term until early Saturday morning. A protestor dropped blood onto the senate floor on Friday afternoon, necessitating an evacuation and cleanup that delayed the session’s conclusion.
However, the disruption did not prevent the legislature’s final approval of several CCPA amendments that will now go to the governor for his signature. The substantive and technical amendments passed this year answer some of the questions that have been pending since the last round of amendments at the conclusion of the 2018 legislative session, including:
Q: Do businesses have to worry about their employees and contractors for purposes of CCPA compliance?
A: Yes, but there have been some scope limitations. Until January 1, 2021, personal information collected from employees, job applicants, owners, directors, officers, medical staff, and contractors of a business, including emergency contact information and beneficiary information, is largely exempt from CCPA. However, businesses must still provide CCPA-compliant privacy notices to these individuals and statutory relief remains available in the event of a data breach.
Q: What about business to business communications or transactions?
A: As with the employee exemption, there has also been a delay of certain CCPA compliance requirements for direct business to business communications and transactions until January 1, 2021. Non-discrimination and opt-out rights are not covered by this exemption and statutory relief is still available in the event of a data breach.
Q: Are there any new clarifications or exemptions to the definition of “personal information”?
A: A few. “Personal information” now includes information that is “reasonably capable of being associated with” a particular consumer or household, instead of simply “capable of being [so] associated.” De-identified and aggregate consumer information are wholly excluded. Information that is lawfully made available from federal, state, or local government records is also exempt.
Q: Do businesses need to provide a toll-free telephone number in order to intake consumer information requests?
A: Yes, unless a business operates exclusively online and has a direct relationship with consumers from whom it collects personal information. In that case, an email address can be used instead of a toll-free number. The CCPA still requires businesses to offer two separate consumer request submission mechanisms, and businesses that maintain a website must provide a means for consumers to submit requests on the website.
Q: Is there any clarification on what businesses can/need to do in order to verify a consumer’s identity when responding to an individual rights request?
A: A little. While businesses still cannot require consumers to create an account in order to submit a valid consumer request, businesses “may require authentication of the consumer that is reasonable in light of the nature of the personal information requested,” and if the requesting consumer maintains an account with the business, the business can require that the request be submitted through that account.
Q: What else has changed?
A: Consumers do not have the right to opt out of the sharing of their vehicle or ownership information between dealers and manufacturers. The Fair Credit Reporting Act exemption has been broadened to include any FCRA-regulated activity.
Q: What’s next?
A: The governor has until October 13th to sign the amendments into law. The CCPA goes into effect on January 1, 2020, at which point consumers can exercise their individual rights under the CCPA and pursue private causes of action in response to a data breach. The California Attorney General is slated to issue implementing regulations to help businesses comply with the law, and he can commence his own CCPA enforcement actions six months after the promulgation of the regulations, or on July 1, 2020, whichever is sooner.