In June 2018, California broke new ground when it was the first state in the nation to enact a comprehensive data privacy law.
The new law, called the California Consumer Privacy Act, gives Californians significant new rights to control their personal information and requires that businesses covered by the CCPA be transparent about how they collect, use and share that information. The law takes effect on January 1, 2020, just two months from now.
Although California consumers welcomed ideas of transparency and control, the CCPA as originally passed was unwieldy for businesses. The law clocked in at a hefty 10,000+ words in length, was drafted in less than a week and in some instances was hopelessly vague.
It contained inconsistencies and cross-referenced sections that didn’t exist. To say that the CCPA was in need of a good edit and polish is an understatement, to say the least. The California Legislature cleaned up some of these drafting errors with minor amendments earlier this year.
More recently, the state of California provided some good news and some guidance to businesses in the form of two major amendments to the CCPA and draft implementing regulations issued by the Attorney General’s office. In this post, we break down these two amendments and how they ease – but do not eliminate – the compliance burden for businesses subject to the CCPA. In upcoming posts, we will examine the draft implementing regulations issued on October 10, 2019 and what they mean for businesses.
Two recent CCPA amendments
On October 11, 2019, Governor Gavin Newsom signed two amendments that significantly narrowed the application of the CCPA for one year. These amendments are frequently referred to as the “employee exemption” and the “business-to-business” (or B2B) exemption, but the word “exemption” overstates their effect. Instead, these amendments limit some CCPA rights (and business obligations) for these groups for one year. Both groups will be entitled to full CCPA rights beginning on January 1, 2021 (unless the CCPA is amended again before then).
> The limited exception for some employee rights for one year
Assembly Bill 25 amended the CCPA to exclude personal information that businesses collect about job applicants, employees, owners, directors, officers and contractors from some CCPA rights for one year. This amendment was incorporated into the CCPA at Civil Code §1798.145(h). As a result of the amendment, job applicants and employees will not have the right to submit a request to know or a request to delete information that their employer or former employer has collected about them until January 1, 2021.
But make no mistake, starting on January 1, 2020 – again, just two months from now – job applicants and employees will have some rights under the CCPA. First, businesses subject to the CCPA will be obligated to give job applicants and employees a “Notice at Collection” that informs the job applicants and employees of (1) the categories of personal information that the business collects about them, and (2) the purpose for which the information will be used. The Notice at Collection must be delivered to the job applicant or employee at or before the time the information is collected.
This means that if a covered business accepts job applications or resume candidates online, the business must give the applicant a Notice at Collection (via a pop-up or link) at or before the time the job applicant completes a job application or uploads a resume. Likewise, current employees will be entitled to a Notice at Collection to inform them of the categories of personal information that the business collects about them while they are on the job, and the purposes for which it is used.
The right to a Notice at Collection isn’t the only right that job applicants and employees will get under the CCPA starting in January 2020. Job applicants and employees also have the right to sue businesses if their nonencrypted and nonredacted sensitive personal information (such as social security number, driver’s license number, medical information or health insurance information) is breached as a result of the business’s duty to implement and maintain reasonable security procedures and practices. In the event of a data breach of this type, the CCPA allows consumers—including job applicants and employees— to recover actual damages or statutory damages of $100 – $750 per consumer, per incident, whichever is greater. This is a game-changer, because California is the only state in the country that provides for statutory damages in the event of a data breach.
> The “business-to-business” exception also is limited and expires in one year
The second most notable amendment to the CCPA is Assembly Bill 1335, which excludes personal information collected by a business where it is communicating with a consumer who is acting on behalf of another organization, and the communication occurs solely within the context of a business transaction. In other words, individuals whose personal information is collected in a business context, or in a B2B channel, do not have the CCPA-conferred rights to a Notice at Collection, or the right to access or delete their personal information.
This amendment was incorporated into the CCPA at Civil Code §1798.145(n)(1). But, like the limited exception for employee data discussed above, it would be a mistake to think about personal information collected in a B2B context as being “exempt” from the CCPA entirely. Like job applicants and employees, a person whose sensitive personal information is gathered in a B2B context has the right to sue for actual and statutory damages if their sensitive information is breached in an unencrypted or unredacted form due to the business’s failure to implement and maintain reasonable security procedures and practices.
And, like the employee amendment, the exclusion of B2B-collected data from the rights to know and delete will expire on January 1, 2021, meaning that consumers whose personal information is collected in a B2B context will have full CCPA rights starting on that date (unless the law is amended again).
Next up: proposed regulations
On October 10, 2019, the California Attorney General’s office issued proposed regulations that provide businesses with specific guidance regarding: (1) the notices businesses must provide to consumers under the CCPA; (2) the business’s practices for handling consumer requests made pursuant to the CCPA; (3) the business’s practices for verifying the identity of the consumer making those requests; (4) the business’s practices regarding the personal information of minors, and (5) the business’s offering of financial incentives. The public comment period on the proposed regulations closes on December 6, 2019.
We will discuss each of these in upcoming blog posts.