• On Tuesday, July 9, 2019, four amendments to the California Consumer Privacy Act (CCPA) were passed by the California Senate Judiciary Committee: AB 25, AB 846, AB 1564, and AB 874. These amendments change how businesses are required to support requests to access personal information (PI) made by consumers (access requests), what’s considered PI, and provide additional new exemptions and clarity into compliance with the law.

    In this post we’ll quickly go over what these amendments cover and why they matter. We’ll also briefly touch on AB 873 which didn’t pass, but may be reconsidered before the end of the legislative session on September 13, 2019.

    Finally, before we dig in, it’s important to note that these bills have not yet been signed into law by the Governor of California. If they are signed into law by the Governor, they will amend the  CCPA and will go into effect on January 1, 2020.

    AB 1564

    What changed?

    AB 1564 amends how businesses are required to support access requests.

    As written previously, businesses had to support at least two methods of access requests: by toll-free phone number and via their website, if they have one. Businesses are no longer required to provide a phone number if they provide an email and mailing address for PI disclosures. 

    That said, businesses that operate exclusively online do not need to provide a mailing address. However, if the business maintains a website, that website must be made available to consumers for access requests.

    Why these changes matter

    Requiring a toll-free number would incur an additional cost to businesses, as they would need to invest in additional staff and technology to operate such a phone line. This amendment makes it easier for digital-only businesses to comply.

    AB 25

    What changed?

    AB 25 amends the requirements for access requests and adds exemptions for PI that falls out of the scope of the CCPA.

    Access request authentication and verification — Businesses may now require authentication before disclosing PI in response to an access request. Further, if the consumer has an account with the business, the business can require that the access requests be made through the existing account.

    PI exemptions — Employee data will be exempt from the scope of the CCPA.

    PI collected by a business is exempted from the CCPA as long as its usage is limited to the following contexts:

    • Information collected on a person within the natural course of their role within the business or during their application
    • Emergency contact information for a person operating within a specific role
    • Administering benefits for a third party other than the person (e.g. spousal/dependent benefits)

    Why these changes matter

    Previously, the requirements around how an access request should be submitted were relatively vague. AB 25 adds clarity to the access request process.

    Adding an authentication requirement also allows businesses to verify the identity of the individual making the disclosure request to ensure PI is not being sent to a bad actor.

    AB 25 also eases the burden of compliance as it relates to a business’s employees, agents, and job applicants. Further, it eliminates the possibility of an employee attempting to exploit the CCPA, e.g. by requesting a deletion of their personnel file which may contain complaints against them.

    AB 846

    What changed?

    AB 846 clarifies how loyalty programs will be treated under the CCPA by establishing that voluntary loyalty programs can operate without conflicting with the right to equal service and price outlined within the Act.

    Why these changes matter

    With AB 846, businesses that run loyalty programs are explicitly allowed to continue doing so without running afoul of the CCPA, as long as the program is run in good faith.

    AB 874

    What changed?

    AB 874 amends the definition of PI and what is considered “publicly available.”

    PI definition de-identified or aggregate information is no longer considered personal information.

    Publicly available information—businesses are no longer obligated to limit use of publicly available information for the purposes that the government originally made it available.

    Why these changes matter

    These changes significantly ease compliance for businesses that de-identifiy or aggregate personal information and process publicly available information, because this information is not considered PI. 

    Further, since a business has no real way to discern every purpose for which the government disclosed information, they also have no real way to determine whether or not they are using publicly disclosed information in a compliant manner. As such, without AB 874, publicly available information would be rendered nearly unusable.

    AB 873

    Unlike the rest of the amendments listed above, AB 873 did not pass in the California Senate Judiciary Committee. However, it was granted reconsideration, and may be passed at a later date. AB 873 is significant because it redefines and loosens the requirements as to what is considered “de-identified information.”

    What is next for these amendments? 

    The California Legislature is scheduled to adjourn for its summer recess on July 12, and will reconvene on August 12, after which the amendments will continue to proceed through the legislative process. The California Legislature is scheduled to end its session on September 13, meaning that final action must be taken on the amendments prior to that date.

    Have more questions about CCPA? Email us at info@rampedup.us or tweet us @RampUp!

    Subscribe to RampUp