By Rotem Perlman -Farhi and Dan Or-Hof
The California governor has signed into law six bills to amend the CCPA. Some of the amendments are technical in nature and aim to clarify ambiguity and correct technical mistakes in the original text of the CCPA. Other amendments bear substantial implications.
Registration of Data Brokers (AB 1202)
According to AB 1202, a data broker will need to register annually (on or before January 31 of each year) with the Attorney General, and provide the following information:
- The name of the data broker and its primary physical, email, and internet website addresses.
- Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
The submitted information will be published on the Attorney General’s website and will be accessible to the public, so that consumers will know which businesses to contact in order to exercise their right to opt-out of selling their personal information.
What is a data broker? It is a business that knowingly collects and sells to third parties the personal information of consumers with whom the business does not have a direct relationship.
What is “selling” personal information? The CCPA’s definition for “selling” is much broader than the general notion of this term and encompasses most types and forms of data sharing for monetary or other valuable consideration.
Therefore, many companies who do not consider themselves as data brokers, may need to register. The registration may enhance the extent of oversight and scrutiny over the registered companies’ activities and practices.
Online Businesses Are Exempt from Providing a Toll-Free Number (AB 1564)
The CCPA requires businesses to provide to consumers two or more designated methods for submitting requests for information, including, at a minimum, a toll-free telephone number.
The amendment clarifies that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information will only be required to provide an email address for submitting such requests.
Submission of Requests Via the Consumer’s Account with the Business (AB 25)
The CCPA requires businesses to verify consumers’ identity, before answering their requests to exercise rights, such as the right to access information about them.
Presumably, the California legislator tried to preempt businesses’ attempts to make it harder for consumers to exercise their rights. Accordingly, the CCPA prohibits businesses from requiring consumers to create an account to make a ‘verifiable consumer request’ to exercise their rights.
AB 25 makes it clear that a business may require a consumer to provider authentication details that are reasonable in light of the nature of the personal information requested, in order to make a verifiable consumer request.
No Consumer Rights to Employees (AB 25)
AB 25 exempts for a period of 1 year (until January 1, 2021), from the exercise of consumers’ rights under the CCPA, Personal information collected from a job applicant, an employee, a director, an officer, a medical staff member or a contractor of a business, to the extent that the personal information is collected and used solely in such contexts.
This exemption does not include the private action provision (if the data is breached) and the obligation to provide proper notices to the employees about the personal information that the employer collects.
Private Right of Action (AB 1355)
AB 1355 clarifies that the private right of action for data breaches is limited to a consumer whose nonencrypted and nonredacted personal information has been breached (and not to a consumer whose nonencrypted or nonredacted personal information has been breached as written in the original text of the CCPA).
The amendment corrects a mistake in the original text and does not change the purpose of this provision.
Exceptions to Consumers Rights (AB 1146)
AB 1146 introduces new exceptions to consumers rights under the CCPA:
Vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer is exempt from the right to opt out of the sale of personal information, if the information is shared for the purpose or in relation to a vehicle repair covered by a vehicle warranty or a recall.
Personal information that is needed for a business to fulfill the terms of a written warranty or product recall, according to a federal law, is exempt from the right of deletion. A business may refuse to comply with a consumer’s request to delete such information.
Redefining the Boundaries of “Personal Information” (AB 874)
AB 874 redefines “personal information” to mean: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Both AB 1355 and AB 874 also exclude deidentified and aggregated consumer information from the definition of “personal information”.
Presumably, the addition of “reasonably” enhances the relativity perception of de-identification. It means that businesses may have more leeway to argue that data is de-identified because it is not reasonably capable of being associated with a specific consumer or household.
Compare this definition with the GDPR (see recital 26) which advocatess a more rigid approach for anonymity (“anonymous in such a manner that the data subject is not or no longer identifiable”) and for ‘personal data’ (“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly…”).
AB 874 also defines “publicly available” to mean information that is lawfully made available from federal, state, or local records. Publicly available information is out of the ‘personal information’ scope as well.
Other Important Changes
AB 1355 provides an exception to the prohibition on a business to discriminate against a consumer for exercising any of its rights under the CCPA, if the differential treatment is reasonably related to value provided to the business by the consumer’s data.
AB 1355 clarifies that a business must disclose to a consumer, at the consumer’s request, the specific pieces of personal information that the business has collected about that consumer, and not just the categories of information that the business has collected.
AB 1355 also clarifies that a business must obtain affirmative authorization from the consumer to sell the consumer’s personal information, when the consumer is at least 13 and less than 16 years.
Selling personal information about children under 13 requires parental consent. Selling personal information about teenagers over 16 does not require prior consent and is subject to the general opt-out of data sale under the CCPA.