On October 11, 2019, California Governor Gavin Newsom signed into law seven amendments to the California Consumer Privacy Act (CCPA). This article discusses key components of the CCPA, and then discusses the amendment to the CCPA.
Whom Does the CCPA Protect?
The CCPA protects data privacy of “consumers,” whom the law defines as residents of California. The provisions of the CCPA govern how any business, as the law defines the term “business,” handles personal information relating to a California resident. That is, the business need not have a business-customer relationship with the individual for the CCPA to apply.
To Whom Does the CCPA Apply?
The scope of the CCPA is broad in terms of who it covers. The following entities must comply with the CCPA:
- Entities that collect consumer personal information
- Entities that determine the purposes and means of processing that personal information.
- Entities that do business in California, and that meet one of the following thresholds:
- Have an annual gross revenue that exceeds $25 million;
- Annually buy, receive for commercial purposes, sell, or share for commercial purposes personal information relating to 50,000 or more consumers, households, or devices; or
- Derive more than 50% of their annual revenue from selling consumers’ personal information.
What is “Personal Information” Under the CCPA?
Under the CCPA, personal information includes any information that:
- Relates to;
- Is capable of being associated with; or
- Could reasonably linked to, directly or indirectly,
A particular consumer or household.
Under the CCPA, What Does Personal Information Include?
Under the CCPA, personal information includes eleven specific categories relating to consumers. These categories include:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
- Characteristics of protected classifications under California or federal law
- Protected classifications include (among others):
- National origin
- Gender (including pregnancy)
- Citizenship status
- Commercial information, including:
- Records of personal property,
- Records of products or services purchased, obtained, or considered, and
- Other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to:
- Browsing history;
- Search history; and
- Information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information (i.e., information that is not publicly available personally identifiable information as defined in the federal Family Educational Rights and Privacy Act (FERPA).
- Inferences drawn from any of the any of the above to create a profile about a consumer reflecting the consumer’s:
- Psychological trends,
- psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
What Is The Amendment to the CCPA?
The seven amendments to the CCPA are as follows:
- First Amendment to the CCPA: Assembly Bill (AB) 1355 addresses CCPA drafting errors and makes other clarifying changes to the CCPA. Notably, AB 1355 amends the CCPA to specify that, until January 1, 2021, certain CCPA obligations do not apply to personal information reflecting a communication or transaction between a business and the consumer, where the consumer is a natural person.
- Second Amendment to the CCPA: Assembly Bill (AB) 1202 requires data brokers to register with the Attorney General of California. Under the CCPA, a “data broker” is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
- Third Amendment to the CCPA: Assembly Bill (AB) 25 modifies the CCPA so that the CCPA does not cover collection of personal information from employees, job applicants, directors, officers, business owners, medical personnel, or contractors, for a period of one year.
- Fourth Amendment to the CCPA: Assembly Bill (AB) 1564 requires businesses to provide two methods for consumers to submit information requests, including, at a minimum, a toll-free number. AB 1564also provides that a business that operates exclusively online, and that has a direct relationship with a consumer from which it collects personal information, need only provide an email address for submitting requests.
- Fifth Amendment to the CCPA: Assembly Bill (AB) 1146 ensures that nothing in the CCPA prevents the sharing of vehicle information for the purpose of enabling repairs covered by a warranty or a manufacturer’s recall.
- Sixth Amendment to the CCPA: Assembly Bill (AB) 874 modifies the definition of “publicly available,” and the definition of “personal information.” With the passage of this amendment, “publicly available” information that is exempted from the “personal information” (PI) definition in the California Consumer Privacy Act of 2018 (CCPA), now includes any information that is lawfully made available from government records. AB 874 also amends the definition of “personal information,” (PI) to clarify that PI does not include deidentified or aggregate consumer information. AB 874 also specifies that personal information includes information that is “reasonably capable” of being associated with a particular consumer or household, as opposed to “capable” of being associated.
- Seventh Amendment to the CCPA: Assembly Bill (AB) 1130 modifies the definition of “personal information” to include biometric data, such as fingerprints and retina scans. AB 1130 also modifies the definition of personal information to include passport numbers, tax identification numbers, military identification numbers, and other unique identification numbers issued on a government document. The amendment also allows data breach notifications involving biometric data to include instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on that data for authentication purposes.