The rush for California to get all of the “rules of the road” ready for next year has seemed to cause a bit of confusion with California’s privacy law. Draft regulations were published the same day the Governor signed into law a series of amendments to the underlying law. It is all a bit confusing, However, now that the Governor has signed the last raft of amendments, and the dust has somewhat settled, the question on everyone’s mind is: What changed in the California Consumer Protection Act (“CCPA”)? How does this effect the draft regulations that the Attorney General published?
Fortunately, there are a number of significant changes which help clarify the CCPA, as well as materially change the scope of the CCPA – even if the AG didn’t include some of these changes into the initial draft regulations announced earlier this month. The most impactful changes across industries are as follows:
To start off, the issue of employee coverage under the CCPA has been a fractious one. On one hand, business has rightly claimed that the relationship with an employee is not the same as the relationship with a customer. On the other hand, privacy advocates have claimed that employees shouldn’t give up privacy rights just because they are employees.
This debate came to a head in the Judiciary Committee meeting held July 11 on Assembly Bill (“AB”) 25. It was here that the California Legislature made a compromise: AB 25 would largely exempt employees from the CCPA; but employees would receive a privacy notice stating the kinds of data collected and the purposes for which data would be used. See Cal. Civ. Code 1798.100(b). This is the kind of information we usually see in a privacy notice.
What is important about this exception is that a business cannot process Personal Information for a purpose not disclosed in the notice. As a consequence, it will be important for businesses to carefully draft employee privacy notices with a sufficient level of breadth to cover all the ordinary, and extraordinary, purposes to which employee data will be put.
One last point: The AB 25 employee carve-out has a time limit. If the legislature does not act again on the issue of employee privacy in the next legislative session, then the carve-out will expire in 2021.
Another rather challenging issue in the earlier version of the CCPA was the idea that a business had to manage its client’s employee data the same way it had to manage customer data. Obviously, this created some tensions when the business had to give deletion rights to a person who worked for its client or vendor.
Fortunately, AB 1355 has exempted business-to-business communications and Personal Information transfer to the extent that the individuals involved in the information processing are employees (or contractors, or owners, etc.) of the two businesses. More importantly, the carve out for client/vendor employees in AB 1355 includes all of the notice provisions of Cal. Civ. Code 1798.100. So, while the business has to provide a privacy notice to its own employees, it doesn’t have to do the same for its clients’ or vendors’ employees.
Definition of Personal Information
AB 1355 and AB 874 both clarified the idea that Personal Information doesn’t include Deidentified or Aggregated Information. Note that Deidentified Information is a defined term under the CCPA, and is more difficult to achieve than merely removing a name or ID number. Not only must Deidentified Information be information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, a business must:
(1) implement technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(2) implement business processes that specifically prohibit reidentification of the information.
(3) implement business processes to prevent inadvertent release of Deidentified Information.
(4) Make no attempt to reidentify the information.
Without these additional safeguards, even if the information cannot be linked to a particular consumer, it is still not deidentified.
Note that the “…be linked, directly or indirectly, to a particular consumer…” language would indicate that persistent cookies which have UDID or other unique identifiers will likely not be considered deidentified. This is due to the fact that the CCPA specifies identification of a device as part of the definition of Personal Information.
“Data Brokers” Now Have to Register
This concept did not exist in the original CCPA, but with all of the news around the different businesses that sell and trade in consumer information, the California Legislature has decided that there needs to be more transparency as to who out there is a trader in consumer information. This is what AB 1202 did.
To this end, a business that “…knowingly collects and sells to third parties the Personal Information of a consumer with whom the business does not have a direct relationship…” is going to be considered a “data broker”. This will likely include any business in the affiliate marketing or advertising space. Note that this doesn’t make the advertiser a data broker – they have a direct relationship with the consumer via the consumer’s engagement with the advertiser’s website, if nothing else.
However, all those other entities that drop cookies on a website that the consumer doesn’t know about are likely going to be deemed data brokers. This doesn’t mean that a data broker’s business is per se illegal. It just means that these businesses have to register with the state and will be published on a searchable webpage. Clearly, this is designed to give consumers a one-stop shop with which to identify all the different businesses with whom they may choose to exercise their opt-out rights.
Finally, it would be a good idea for any business-to-business entity to take a close look at how they move Personal Information around to verify they don’t trigger the definition and are thus required to register.
Federal Law Preemptions
The previous iterations of the CCPA had various levels of ambiguity with regard to the way they tried to avoid federal preemption as a result of the various federal privacy laws (e.g. HIPAA, GLB, FCRA, etc.). The latest amendments did try to resolve some of those ambiguities, and in some cases, actually did.
Now, under the FCRA exception, any “…activity involving…” the FCRA is exempted insomuch as it is regulated by the FCRA. Previously, only the sale of information to a CRA was exempted. This is a much needed clarification that the CCPA does not apply to ANY activity governed by the FCRA – regardless of the actor.
Covered entities, as defined by HIPAA, are exempted from the CCPA. Note that this does not exempt Business Associates directly. However, any protected health information covered by HIPAA (or the California mini-HIPAA) is also carved out. Thus, it would seem that the Business Associate’s activities with covered entities are effectively carved out as the data itself is subject to the exception.
The GLB exception is still a little murky. The exception applies to Personal Information (not the regulated entity itself – which is actually the trigger for the application of GLB) processed “pursuant” to GLB. This makes it somewhat unclear as to whether or not the exception applies to any financial institution’s service provider. The reason for this is that in some instances, GLB doesn’t directly apply to the service provider; rather, it only applies to the financial institution.
Thus, there is still a question as to whether a financial institution’s use of a third party would permit the service provider to fit under the GLB exemption. Common sense would seem to dictate so, but that isn’t exactly how the law is written. We can hope for more clarification from either the AG or the California Legislature.
As seems to always be the case, the law continues to be in flux and we will continue to analyze any changes as they appear.