Before adjourning last Friday, the California Legislature tweaked some of the language in the state’s moderately complicated version of the European Union’s General Data Protection Regulation. The California Consumer Privacy Act’s requirements applicable to personal information of employees are now somewhat less onerous for organizations, as are obligations for personal information obtained during certain business-to-business transactions.
The amendments “clarify the law for business so that it is less confusing and so that implementation efforts can stand on better footing,” says D. Reed Freeman, a partner at WilmerHale and co-chair of the law firm’s Cybersecurity and Privacy Practice and Big Data Practice. While some in the for-profit world might be celebrating these latest developments, the clock is still ticking toward the Jan. 1, 2020, effective date of the privacy law.
Privacy proponents might be breathing a sigh of relief that the fundamentals of the law as originally passed still stand. Google had reportedly floated proposed revisions that would have diminished the CCPA’s impact. (Representatives for Alphabet Inc., the parent company of Google, did not respond to an inquiry about the company’s satisfaction with the latest round of changes to the California statute.)
“The takeaway for privacy advocates is they were able to retain the core privacy rights,” says David Stauss, a data privacy, cyber-security, and breach response partner at law firm Husch Blackwell. “They resisted efforts to have larger changes made.”
Indeed, the amendments mostly “provide clarifications or discrete refinements to the scope of the statute,” notes Christine Lyon, a privacy partner at law firm Morrison & Foerster. Ultimately, though, the changes to the CCPA “will benefit most companies,” she says.
The amendments are generally seen as helpful to businesses. One significant change is that companies subject to the law “have a one-year exemption from nearly all CCPA requirements related to personal information that a business collects from its job applicants, employees, contractors, and certain other individuals,” Jodi Daniels, CEO of privacy consultant Red Clover Advisors explains.
Those individuals still have the right to be informed why their information is being collected, though. They also retain their right to bring a private right of action in the event of a data breach, Daniels says. In short, companies have a bit more leeway before having to adhere to privacy act requirements, but they can still be sued if something goes wrong.
Regardless of whether firms welcome the amendments with open arms, it looks like the CCPA is here to say. While most thought the law “would go away and not come into effect,” says Daniels, California’s statute “is the first of what will likely be a wave of new privacy laws coming.”
“Chief compliance officers should not wait until the dust has settled on CCPA to undertake compliance efforts.”
Christine Lyon, Privacy Partner, Morrison & Foerster
A break for the B2B crowd
Thanks to the CCPA amendments, personal information collected as part of certain business-to-business transactions is no longer subject to some of the law’s requirements, at least for now.
“The B2B exemption is going to help a number of businesses that operate on a B2B format,” Stauss says. At the same time, he cautions, the revision is not a silver bullet as it contains “some ambiguity” and “is going to apply differently in different contexts.” Like the exemption for employee information, the business-to-business exemption contains a one-year sunset provision.
An added measure of reasonableness
Businesses of all sorts might take heart in a modification to the meaning of personal information covered by the privacy act. The revisions to the law water down the definition by limiting personal information to that which is reasonably capable of being associated with a consumer or household.
The change helps “narrow the extremely wide scope of just about any piece of data that could in theory have been construed as personal information,” Daniels explains.
The CCPA amendments also include “a number of revisions to correct drafting errors” in the original law, says Daniel Pepper, a partner at BakerHostetler.
Motor vehicle dealers and manufacturers get a bit of a break thanks to the revised law. The amendments exempt “from the CCPA’s notice, disclosure, and access obligations, as well as its private right of action” certain information shared between them involving a vehicle repair covered by a warranty or recall, Pepper notes.
Who must comply?
As originally passed in June 2018, the CCPA was intended to help Californians know what personal information was being collected about them and whether that information was being sold or provided to others.
For-profit businesses with gross revenues greater than $25 million are subject to the law, as are those that buy, receive for commercial reasons, or sell personal information of 50,000 or more consumers, households, or devices. Companies that receive more than half of their revenue from selling consumers’ personal information are subject to it as well.
California Governor Gavin Newsom has until Oct. 13 to sign the revisions. His anticipated approval, however, will not be “the final word on the CCPA,” Lyon notes. “We continue to await the California Attorney General’s rulemaking” on the privacy act’s requirements, she said.
Although the state attorney general’s implementing regulations have not yet been issued, companies still need to prepare to comply with the law. “It can be tempting to ‘wait and see’ because so many issues remain unresolved, even following these amendments,” Lyon says. “However, the basic elements of the CCPA are established,” and some of those core elements “tend to require significant operational work and lead time.” To that end, Lyon says, “chief compliance officers should not wait until the dust has settled on CCPA to undertake compliance efforts.”
Another law approved by the California Legislature at the same time the changes to the CCPA were OK’d requires data brokers to register with the state attorney general, Daniels notes. Chief compliance officers “will need to determine if they meet this definition of a data broker requiring registration,” she says.
Lori Tripoli is a writer based in the greater New York City area who focuses on legal and regulatory issues