In this month's edition of our Privacy & Cybersecurity Update, we examine five amendments to the California Consumer Privacy Act, the EU Court of Justice's rulings on the "Right to Be Forgotten" and what qualifies as a joint controller, as well as a Welsh court's precedent-setting ruling on facial recognition technology. We also take a look at a Texas federal judge's ruling to stay a case involving coverage on a phishing scam dispute and a Maryland federal judge's order requiring Marriott to publicly release a PFI report.
Five Amendments to the California Consumer Privacy Act on Governor's Desk
CJEU Holds That 'Right to be Forgotten' Only Applies to Searches in the EU
CJEU Rules on Interpretation of Joint Controller
UK Court Decides on the Use of Facial Recognition Technology
Federal Judge Puts Dispute Involving Multimillion-Dollar Phishing Scam Coverage on Hold
Marriott Ordered to Publicly Release Forensic Report in Cybersecurity Class Action Lawsuit
Five Amendments to the California Consumer Privacy Act on Governor's Desk
The California State Assembly and Senate passed five of the many proposed bills seeking to clarify the California Consumer Privacy Act (CCPA) before it goes into effect on January 1, 2020. Gov. Gavin Newsom has until October 13, 2019, to sign or veto the bills.
As the 2019 California legislative session drew to a close, the legislature passed five amendments to the CCPA that must be signed or vetoed by the governor by October 13, 2019. While the amendments provide some clarity on certain issues, as well as some relief for companies that have only employees and not any consumers who are California residents, many of the more significant amendments that had been proposed by privacy advocates and businesses were not passed.
Exclusion of Certain Employee-Related Information
Under Amendment AB25, many of the CCPA requirements would not apply until January 1, 2021, for job applicants, employees, contractors, medical staff members, owners, officers and directors (the latter five roles also would become newly defined terms), provided their information is used solely in the context of their current or former role with a business. Although the definition of "contractors" is likely meant to include independent contractors working for a business, it is defined broadly as a natural person who provides any service to a business pursuant to a written contract. The amendment also would exclude personal information that qualifies as the emergency contact information of that individual, provided it is collected and used solely in the context of having an emergency contact on file. Finally, the amendment would exclude the personal information of relatives of an individual whose information is collected and retained for the purpose of administering benefits, provided the information is used solely for that purpose. The following CCPA provisions would still go into effect on January 1, 2020, for these individuals:
the obligation to notify these individuals about the categories of personal information that the business collects and the purposes for which the information is used, at or before the point of collection; consent would still be required to collect additional categories of personal information or to use previously collected personal information for new purposes; and these individuals could still assert a claim under the CCPA's private right of action for cybersecurity incidents. Exclusion of Employees of Business Partners and Business Clients
Similar to AB25, under Amendment AB135 many of the CCPA requirements would not apply until January 1, 2021, including when personal information is transmitted in business-to-business written or verbal communications or transactions relating to due diligence, or providing or receiving a product or service to or from the other business, and the personal information concerns an employee, owner, director, officer or contractor of that business. That individual would still be entitled to their right to nondiscrimination and right to opt out of the sale of such personal information. Such individuals could still exercise their private right of action under the law.
Verified Consumer Request (VCR)
While the California attorney general must still release guidance on the meaning of a verified consumer request (VCR), AB25 provides some additional guidance on VCRs, stating that a business, when responding to a VCR, may require authentication of the consumer that is reasonable in light of the nature of the personal information requested. The amendment also prohibits a business from requiring consumers to create a new account with the business in order to submit a VCR. However, if the consumer already maintains an account with the business, then the business may require the consumer to submit a request through that account. This change would be especially beneficial for consumer-facing companies reliant on online contacts.
The amendments also would permit the attorney general to establish rules and procedures on how to process and comply with VCRs for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns. The current version of the CCPA contains minimal guidance on navigating the complexities of requests related to households as compared to a natural person, so this represents another important area for businesses to track going forward.
Limiting the Catch-All in the Definition of Personal Information
Under the CCPA, information is "personal information" if it is capable of being associated with, or could be reasonably linked, directly or indirectly, to a particular consumer or household. This definition was seen as extremely broad given today's advanced data mining technology. AB874 slightly narrows the definition by stating that the information must be "reasonably capable" of being associated with a particular consumer or household. Additionally, the amendment would specifically exclude de-identified or aggregate consumer information from the definition of personal information. The treatment of such information is somewhat unclear under the CCPA as currently written.
Expanding the Publicly Available Information Exclusion
The CCPA currently excludes "publicly available" information from personal information. However, a business can only rely on that exception if it is using the information "for a purpose that is compatible with the purpose for which the data is maintained and made available in the government records." Amendment AB874 would strike the "compatible purpose" requirement; meaning that a business could rely on that exception even if it used the publicly available information for a different purpose.
The Recall and Warranty Deletion Exception, and the Vehicle and Ownership Information Sale Exception
Under Amendment AB1146, a business could decline a consumer's personal information deletion request where retention of the personal information is required to fulfill the terms of a written warranty or product recall conducted in accordance with federal law. While the remainder of the amendment is directed toward vehicles, this deletion exception is not expressly limited to the vehicle context.
In addition, under this amendment, consumers would not have a right to opt out where vehicle information or ownership information is retained or shared between a new motor vehicle dealer and the vehicle's manufacturer for the purpose of effectuating, or in anticipation of effectuating, a repair covered by a warranty or recall. To remain within this exception, the new motor vehicle dealer and vehicle manufacturer could not sell, share or use the information for any other purpose. As a result, the same information could be subject to CCPA requirements where dealers use the information for other purposes, such as marketing or standard maintenance reminders. Vehicle information is defined as vehicle information number, make, model, year and odometer reading. Ownership information is defined as the name(s) of the registered owner(s) and their respective contact information.
Fair Credit Reporting Act (FCRA) Exception
The amendments clarify that, except for the private right of action for data breaches, the CCPA does not apply to an activity involving the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by (1) a consumer reporting agency; (2) a furnisher of information (as set forth in Section 1681s-2 of Title 15 of the United States Code) who provides information for use in a consumer report; and (3) a user of a consumer report. This exception would apply only to the extent that such activity by that agency, furnisher or user is subject to regulation under the FCRA and the information is not otherwise used, communicated, disclosed or sold, except as authorized by the FCRA.
Clarification to Notice Requirement