1. “Business-to-business” exemption (AB1355)
Among other non-substantive clarifications, AB1355 exempts from most sections of the law the collection of personal information by a business from a consumer who is acting as an employee, owner, director, officer, or contractor of a company for the purpose of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company. For example, under AB1355, the personal contact information of an employee of Company A, which was obtained by Company B during communications regarding an order of widgets would be exempted from the obligations of the CCPA. This business-to-business exemption does not extend to the section of the law relating to the private cause of action in the event of a data breach. This business-to-business exemption expires on January 1, 2021, unless the legislature takes further action to extend it.
AB1355 also exempts activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, only to the extent that such activity is subject to regulation under the Fair Credit Reporting Act and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act. Thus, AB1355 functionally exempts credit reporting agencies from the requirements of the CCPA, provided that they are operating under the Fair Credit Reporting Act.
2. “Employee” exemption (AB25)
AB25 exempts from most sections of the law personal information that is collected by a business about a person in the course of the person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business. This “employee” exemption only applies to the extent that the personal information is collected and used by the business solely within the context of the person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. This employee exemption does not extend to the section of the law relating to the private cause of action in the event of a data breach. It also does not extend to section 1798.100, which gives a consumer the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
The amendments in AB25 expire on January 1, 2021, unless the legislature takes further action to extend it.
3. “Personal information” clarification (AB874)
AB874 clarifies that “personal information” does not include consumer information that is deidentified or aggregate consumer information. The amendment also clarifies that “personal information” does not include publicly available information, which is information that is lawfully made available from federal, state, or local government records. Under this definition of “publically available information,” other information which has been publicly revealed by the individual does not constitute “publically available information” because it has not been made available by a governmental entity.
4. “Opt-out” limitation (AB1146)
AB1146 clarifies that a business or a service provider is not required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.
It also places some limitations on the “right to opt-out,” which is the right of a consumer to direct a business not to sell the consumer’s personal information to third parties. The right to opt-opt does not apply to vehicle information or ownership information that is retained or shared between a vehicle dealer and manufacturer, unless provided for the specific purposes outlined in AB1146.
5. Mechanism for consumer requests (AB1564)
AB1564 clarifies the mechanisms that must be provided to consumers to make access and deletion requests. The law requires a business to make available to consumers two or more designated methods for submitting requests for information, including, at a minimum, a toll-free telephone number. Under this amendment, a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests for information. If the business maintains an internet website, the business must make the internet website available to consumers to submit requests for information.
The governor has until October 13 to sign or veto the amendments. With less than five months until enforcement, all businesses should analyze the CCPA’s applicability and scope, and those that are subject to the law should take practical steps to comply with the law’s requirements. For questions or information on CCPA application and compliance, please contact one of the attorneys below.