California Governor Signs CCPA Amendments Ahead of 2020 Effective Date
October 15, 2019
Last week, the nearly yearlong process of amending the California Consumer Privacy Act of 2018 (CCPA) was finalized. The amendments to the CCPA were previously approved by California legislators, and, on Friday, the changes were signed into law by Governor Gavin Newsom. The bills amend the CCPA and become part of the law, which takes effect on January 1, 2020.
The CCPA serves as the most comprehensive consumer data privacy legislation in the United States, echoing many of the foundational principles mandated in the European Union’s General Data Protection Regulation, and following a global movement to better protect consumers’ data from unregulated exploitation, as was seen in Facebook’s Cambridge Analytica scandal that surfaced early last year.
This final round of amendments loosened some of the law’s standards, but the underlying structure of the CCPA remained largely intact. For a more detailed summary of the pre-amendment CCPA, please see this recent McNees Client Alert. Below is a brief overview of the most impactful changes to the legislation.
Definition of Personal Information
The definition of “personal information” was amended by AB 874 to include a reasonableness qualifier, meaning that the law will now only apply to personal information that is reasonably capable of being associated with a California consumer or household. This addition, promoted by business advocates, foreshadows future battles defining the scope of the reasonableness standard, which may result in court action for interpretation.
Exemption for Employees
AB 25 exempts employee information from most aspects of the law. With this amendment, the CCPA does not apply to personal information of a California resident that was collected by a business in the course of the individual acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of the business. This change means that employees are not afforded certain rights to access or delete their data that the business collected about the employee in their capacity as an employee, but the employees will still possess these rights related to any data collected by the business in their capacity as a consumer. Nevertheless, this amendment will only remain in effect for one year and will sunset on January 1, 2021, unless legislators further extend the amendment in 2020.
Personal information collected in B2B transactions will also be exempt from most of the CCPA requirements (for now). Added by AB 1355, personal information conveyed during a transaction between a business and a consumer shall not apply to the law where the consumer is acting as an employee, owner, director, officer, or contractor of another organization, and whose communications with the business occur solely within the context of the business “conducting due diligence regarding, or providing or receiving a product or service to or from such [other entity].” Like the employee information exemption, this B2B exemption sunsets on January 1, 2021.
Private Right of Action
The last notable amendment does not change the actual CCPA itself, but will affect consumers’ right to sue in the event of a data breach. The CCPA’s private right of action for a data breach is tied to the definition of personal information under California’s separate breach notification statute (not the CCPA’s personal information definition discussed above).
The amendment to the breach notification statute expands the types of personal information that may be used as the premise for a private action against the business if that information is accessed through a data breach. This amendment, known as AB 1130, adds tax ID numbers, passport numbers, military ID numbers, unique ID numbers on government-issued documents, and certain types of unique biometric data, such as fingerprints and retinal scans, to the definition of personal information. Therefore, businesses that collect or retain any of these expanded identifiers may be subject to a lawsuit in the event of a breach caused by their failure to maintain reasonable security procedures.
The CCPA was amended by several other bills that were signed by the governor. The McNees Privacy & Data Security Group will continue to monitor these amendments and can assist your business, domestically and abroad, in preparing for their impact.
© 2019 McNees Wallace & Nurick LLC
McNees Privacy & Data Security Alert is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.