Alert 05.01.19
Countdown to CCPA: Do You Know Where Your Data Is?
Starting in 2020, “inventory management” takes on new meaning in California.
Alert
10.14.19
The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020. The CCPA grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information:
From the perspective of a covered business, these new rights create obligations on the business to put into place processes to identify, locate and retrieve personal information about California residents that the business collects or receives and retains. These processes are required so that the business can respond to the demands Californians may now make under the CCPA, including demands for: disclosure of personal information the business collected in the previous 12 months and deletion of personal information about the requesting party.
Businesses required to comply with the CCPA have been faced with the challenge of identifying and tracing personal information that they collect from all California residents, whether they are customers, employees, employees of vendors or strangers to the business. The California legislature on September 13 adopted a series of bills that amended the CCPA, and Governor Gavin Newsom announced on October 11 that he had signed the measures into law. These amendments: (i) temporarily take out of scope of the CCPA certain business-to-business and employee information for a one-year period ending January 1, 2021; (ii) expand and clarify the FCRA exemption from the Act on a permanent basis; and (iii) add a limited exemption for new motor vehicle information sharing on a permanent basis.
Employee Information
Until January 1, 2021, certain information about employees is outside of the scope of the CCPA. This temporary exemption only covers information collected in the course of the individual’s acting as a job applicant, employee, officer, director or contractor of the covered business, and only to the extent that the business uses such information in the context of the individual’s role (or former role) as an applicant, employee, etc. This includes emergency contact information that an applicant, employee, etc. provides (which would include information about another individual who is the emergency contact), so long as it is only used for that purpose. The exemption also covers information that an applicant, employee, etc. provides in the context of applying for or receiving benefits for the individual or others related to the individual, so long as the information is only used for that purpose.
The business must still make the disclosures required in Section 1798.100(b) in its privacy policy or at or before the time of collection of information, namely “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” The business is also prohibited from collecting additional information or using it for additional purposes without first providing notice to the consumer.
This leaves in scope of the CCPA information that is received from an employee, applicant, etc. in any other context, such as when the employee makes a purchase, signs up for a newsletter or subscription, or otherwise interacts with the business outside of the employer-employee relationship. Thus, an employee who is a California resident has the right to request disclosure and deletion of information the business collects outside the employer-employee relationship, but may not request disclosure or deletion of information the business collects within that relationship.
Business-to-Business Information
Also until January 1, 2021, a covered business is relieved of certain obligations with respect to certain business-to-business information. Those obligations are specified in Sections 1798.100 (disclosure of information collected and used in the privacy policy), 1798.105 (on-demand request for deletion), 1798.110 (on-demand request for disclosure of information collection practices), 1798.115 (on-demand request for disclosure of information sharing practices), 1798.130 (specific requirements for response to on-demand requests), and 1798.135 (requirements for facilitating do-not-sell requests). Notably, the amendment does not exempt a covered business from its obligations under 1798.120—the right of an individual to tell the covered business not to sell his or her personal information.
The information that is temporarily exempted under this amendment is “information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.”
While facially this may appear to be a limited exemption, it would excuse a business from the obligations noted above with respect to such information whether the business is the buyer or seller of the goods or services, including when the business is merely preparing to buy or sell the goods or services. Thus until the end of 2020, when a covered business, while performing due diligence in anticipation of a transaction or conducting a transaction with another entity, receives information about an employee, owner, etc. of that entity, the business is excused from its obligations with respect to that information, except for its obligation to honor an opt-out request.
For example, if a covered business engages a company to supply janitorial services to the properties of that business, the information the covered business receives about its points of contact with the janitorial service company (e.g., sales representative or account manager) and about any individuals performing the janitorial services on behalf of their employer is all out of scope of the CCPA, except that the business must honor a request to opt out of the sale of personal information. Conversely, if a covered business sells services to another entity, which services are intended to be used by the employees of that other entity (e.g., travel services), then it would appear that the information collected by the covered business from the employees of its business customer (e.g., travel booked, payment records, identification information, etc.) would similarly be out of scope of the CCPA.
FCRA Eligibility Information
As originally drafted, the CCPA exempted information sold to or from a consumer reporting agency if the information is to be reported in or used to generate a consumer report under the FCRA. The September 13, 2019 amendments expanded this exemption to specify that “eligibility information” that is part of a consumer report and is collected, maintained, disclosed, sold, communicated or used by consumer reporting agencies, furnishers of information, or users of information is exempt from the CCPA, provided that the eligibility information is used only for purposes permitted under FCRA.
Eligibility information as defined under FCRA includes information that bears on an individual’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living. Permitted purposes under FCRA are limited to evaluation of eligibility for credit, employment or insurance.
As a result of these amendments, covered businesses are not required to disclose, provide or delete such information. This change is a permanent change to the CCPA.
Motor Vehicle Information
The September 13, 2019 amendments added an exception to the CCPA for information about motor vehicles (limited to the VIN, make, model, year, and odometer reading) and ownership information (limited to the names of the registered owner(s) and their contact information) where the information is retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer for the purpose of providing warranty services or recall notices. This change is a permanent change to the CCPA.