The CCPA Amendments that Survived the California Legislature
After months of deliberation and negotiation, the California Legislature has passed a series of amendments to the California Consumer Privacy Act.
As the legislative session came to a close last week, the California Legislature passed five bills that amend the California Consumer Privacy Act ("CCPA"). Here are the five bills that are now headed to the governor for signature:
- A.B. 25—Excludes employee data from a consumer's right to access, deletion, and opt-out. Employers are still required to comply with the disclosure requirements and are subject to the data security private right of action for employee data.
- A.B. 874—Clarifies that "publicly available information" and "deidentified or aggregate" information are not considered "personal information."
- A.B. 1146—Excludes from the right to opt-out vehicle and ownership data for purposes of vehicle repair relating to warranty or recall.
- A.B. 1355—Clarifies various provisions of the CCPA, including modifying the definition of "personal information," clarifying that deidentified and aggregate information are exempt from the statute, modifying the FCRA exemption, and excluding personal information collected on another business's employees in certain B2B contexts.
- A.B. 1564—Provides that businesses that operate exclusively online need to provide only an email address for consumer requests.
The exclusions in both A.B. 25 and A.B. 1355 are subject to a one-year moratorium.
Taken together, these bills help clarify ambiguous provisions and focus the potential scope of the CCPA. Of particular importance are the amendments excluding employee data and other businesses' employees for one year from various obligations under the CCPA.
The Legislature also passed a sixth bill, A.B. 1202, which does not amend the CCPA but is likely relevant to many businesses preparing for CCPA compliance. Specifically, this bill creates a new class of data processors, "data brokers," who must register with the attorney general every year.
Businesses that must comply with the CCPA would be wise to anticipate the possibility of these bills becoming law and should consider taking steps now to align their data compliance programs with these amendments in mind.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.