The Legislature in Sacramento finished its session last Friday, Sept. 13 and will no longer be able to make changes to the California Consumer Privacy Act before it goes into effect Jan. 1, 2020.
Assuming that California Gov. Gavin Newsom signs all of these laws — he has until Oct. 13 — these amendments will leave the "right to know" intact but make significant changes including to some of the definitions, the non-discrimination provision, and how a consumer makes a verifiable request. The legislature passed multiple bills; however, AB 1355 Personal Information, seems to be the vehicle that includes most of the changes including to AB 25 (employee information exemption); AB 874 (changes to the definition of personal information); AB 1564 (elimination of the toll free number requirement); and, AB 1146 (exemptions for vehicle information).
There is a lot to keep track of, but here is an overview of major changes, as well as important requirements that remain unchanged:
The right to know is still strong (1798.110 & 1798.115).
On Jan. 1, 2020 all Californians will be able to find out:
- The categories and specific pieces of personal information a business collects on them. A business is also obliged to disclose in general the categories of personal information it collects about consumers.
- The categories of personal information a business has sold to third parties.
- The categories of personal information a business has to disclose to third parties for business purposes.
Privacy becomes a commodity in California since businesses will be allowed to charge more or offer different access if a consumer opts out of the sale of their personal information or asks a business to delete their information based on the value provided to the business by the consumer’s data.
A consumer still has the right to opt out of the sale of their personal information (1798.120). A consumer also has the right to delete their personal information with many exceptions (1798.105). The non-discrimination language remains (1798.125), however, clause two clarifies that if a consumer opts in to a financial incentive program, a business may “offer financial incentives including payments ... for the collection, … sale, or … deletion of personal information.” If a consumer does not opt in to the program or requests a business to not sell or delete their personal information, a business “may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.”
The definition of "personal information" is weaker and changes to it set the stage for future battles over the definition of "de-identified," "aggregate" and "sell."
Industry was able to get a couple of extra qualifications using the word “reasonably” to the definition of personal information. Perhaps more significantly was the clarification that “'Personal information' does not include consumer information that is de-identified or aggregate consumer information.” This is significant, especially if industry is successful in future efforts to weaken the definition of de-identified as they attempted to do in AB 873, since the CCPA only covers the collection, sale, and deletion of “personal information.”
Notably, however, the definition of personal information still relates to a “consumer or household.” Expect more battles over these definitions next year when the California legislature reconvenes.
There will be ongoing battles over how a consumer’s identity is authenticated and how a consumer makes a verifiable request (1798.130) before a business responds to a right to know request.
The new language gives the businesses (rather than the Attorney General) the authority to “require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer request.”
The tension, however, is that the Attorney General also has the authority to establish, “rules and procedures to further the purposes of Sections 1798.110 and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers.”
Further, new amendments to 1798.185 clarify that the Attorney General may establish additional regulations, “to establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns.” Hopefully, Attorney General Xavier Becerra’s office will issue its preliminary rules soon so we will know — or at least have a good sense until the final rules are issued — of what the CCPA will look like when it goes into effect Jan. 1, 2020.
The data broker registry AB 1202, Privacy: Data Brokers, requires data brokers to register with the Attorney General.
However, it could negatively impact the effectiveness of the CCPA by expanding the notion of when a business has a “direct relationship” with a consumer including through interacting with an online advertisement or by visiting a business’ internet website. This is important since 1798.99.80 now defines a data broker as, “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
The toll-free number requirement has been eliminated for businesses that operate “exclusively online and have a direct relationship with a consumer” (1798.130).
These businesses only need to provide an email address for submitting requests. This is especially significant because of changes in AB 1202 as to the meaning of a business having a “direct relationship with a consumer” in California.
There is now an exemption for certain vehicle information from the right to opt-out for information that is shared for “a vehicle repair covered by a vehicle warranty or a recall…provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.”
Employee information is exempt ... for now.
When the CCPA goes into effect, employees, contractors, directors and owners will not be able to exercise any of their rights under the CCPA including the right to know, the right to opt-out of the sale, and the right to delete. The exemption sunsets Jan. 1, 2021 with labor unions and privacy groups fighting to eliminate the carveout, while industry groups fighting to keep it.
I expect this to be a major battle when Sacramento reconvenes in January.
Loyalty card program exemption (AB 846) was moved to the inactive file because it is unnecessary based on the changes to the non-discrimination provision.
The Senate made amendments to AB 846 clarifying that businesses collecting personal information as part of a loyalty program could sell that information if they obtain the consent of the consumer. However, it stipulated that the consumer could withdraw consent to the sale of personal information while continuing to participate in and receive benefits from the program. Since other businesses would be allowed to offer different prices or levels of access due to changes in 1798.125 (the non-discrimination provision), the amendment that should have benefited retailers with loyalty programs, would in practice have limited their use of the personal information more than other businesses.
Photo via Good Free Photos