Last Friday, October 11, 2019, one day after the California Attorney General issued proposed regulations to implement the California Consumer Privacy Act of 2018 (“CCPA”), the California Governor, Gavin Newsom, announced that he signed all five of the September 2019 legislative amendments to the CCPA into law. Those amendments include AB-25, AB-874, AB-1146, AB-1355, and AB-1564. The governor had until Sunday, October 13 to either sign or veto the bills.
Among other changes to the CCPA, the amendments make the following notable changes:
- Create a one-year exemption for HR data which sunsets Jan 1, 2021 (AB-25)
- Create a one-year exemption from applicability for business-to-business customer representative personnel date, which sunsets Jan 1, 2021 (AB-1355)
- Make various changes to the definitions of
- “personal information” (AB-874 and AB-1355) to add reasonableness into the capability of being associated with an individual consumer or household; clarifies that personal information does not include de-identified or aggregate consumer information
- “publicly available” information (AB-874); and
- “verifiable consumer request” (AB-1355);
- Create revisions to the private right of action (AB-1355) to clarify that class action lawsuits may only be brought for breaches pursuant to CA data breach notification law when the person information is “nonencrypted and nonredacted”.
- Create limited exemptions for personal information necessary to fulfill a product warrant or recall or vehicle repair covered by a vehicle warranty or recall (AB-1146)
- Clarify that a business does not need to retain or collect information that is in addition to that it would otherwise collect in the ordinary course of business (AB-1355)
- Revise the anti-discrimination right (AG-1355); and
- Clarify that a business only operating online needs to only provide an email address as a designated consumer request method (AB-1564).