Last week, after months of negotiation and speculation, the California legislature passed bills amending the California Consumer Privacy Act (“CCPA”).  This marked the last round of CCPA amendments before the legislature adjourned for the year—and before the CCPA takes effect on January 1, 2020.  California Governor Gavin Newsom has until October 13 to sign the bills into law.  Separately, the Attorney General’s office is expected to release a draft of proposed CCPA regulations for public input later this Fall.

  • Exemption for employees and job applicants: AB 25 (Chau) generally exempts from the CCPA—for one year—personal information collected from job applicants, employees, owners, directors, officers, medical staff members, or contractors, as well as their emergency contacts and their beneficiaries.  However, employers must provide these individuals with general notice of the types of personal information collected about them and the purposes for which the information is used.  Employers may be liable if certain types of unredacted or unencrypted personal information are breached due to unreasonable data security.
  • Exemption for business customers and other technical corrections: AB 1355 (Chau) exempts from the CCPA—also for one year—personal information reflecting a communication or transaction with a natural person who is acting as an employee, owner, director, officer or contractor of another company or legal entity in most circumstances.  This language generally creates an exemption for personal information about business customers.  The bill clarifies that the CCPA’s private right of action does not apply if personal information is either encrypted or redacted.  The bill also makes certain technical corrections, including revising the exemption for activities involving consumer reports that are regulated under the Fair Credit Reporting Act and clarifying that de-identified or aggregate consumer information is excluded from the definition of “personal information.”
  • Definitions of “personal information” and “publicly available information:” AB 874 (Irwin) includes several helpful clarifications with respect to the scope of “personal information” regulated under the statute.  Previously, “personal information” was defined to include all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  The amended definition of “personal information” clarifies that information must be “reasonably capable of being associated with” a particular consumer or household.  Separately, the bill clarifies that “publicly available information” means information that is lawfully made available from federal, state, or local records, regardless of whether the data is used for a purpose that is compatible with the purpose for which the data was made publicly available.  Further, the bill revises the definition of “personal information” to clarify that it does not include de-identified or aggregate information.
  • Required methods for receiving consumer requests: The CCPA provides that a covered business is required to make available to consumers two or more reasonably accessible methods for submitting requests under the CCPA, including, at a minimum, a toll-free telephone number, and, if the business maintains an internet website, a website address.  AB 1564 (Berman) would amend this requirement to provide that a business which (1) operates exclusively online and (2) has a direct relationship with the customer from whom it collects personal information needs to provide only an email address.  If the business also maintains a website, the bill requires the business to make the website available to consumers to submit requests.  Finally, the bill expressly permits a business to require a consumer who maintains an account with the business to submit a request through the account.
  • Exemption for vehicle warranty/recall purposes: AB 1146 (Berman) exempts, from the CCPA’s right to opt out and right to delete, vehicle or owner information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer for the purposes of vehicle repair covered by a warranty or recall.

The legislature also passed three non-CCPA privacy bills relating to data breach notification requirements, children’s use of online social media platforms, and registration of data brokers.

  • Data breach notification requirements: AB 1130 (Levine) expands the definition of “personal information” under California’s data breach notification law to include biometric data (such as “a fingerprint, retina, or iris image”), tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document.
  • Children’s social media accounts: AB 1138 (Gallagher) prohibits social media platforms from allowing children under the age of 13 to open an account without parental consent.  It also requires that such businesses implement “reasonable measures to ensure that the person who is giving their consent is the parent or legal guardian of the person under 13 years of age.”
  • Data broker registration: AB 1202 (Chau) requires data brokers to register with the Attorney General and in turn requires the Attorney General to make the information provided by data brokers accessible to the public on its website.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”