California Consumer Protection Act (“CCPA”)
Since its hasty introduction in January 2018, the CCPA has been amended on multiple occasions to address its known shortcomings and textual irregularities. The final round of amendments, before CCPA takes effect in January 2020, were passed before the close of the California legislative session on September 13, 2019. Amendments AB 25, AB 874, AB 1146, AB 1355, and AB 1564 have been sent to the Governor’s desk for Governor Gavin Newson’s signature or veto.  The following three amendments are of particular importance to businesses seeking to comply with CCPA.

First, CCPA’s definition of “personal information” has always been notoriously broad. AB 874 adds two reasonableness qualifiers within that definition that will enable additional flexibility for businesses operating under CCPA; this, however, may increase their workload in determining whether certain data qualify under this definition. The amendment also clarifies that de-identified or aggregated consumer information is not “personal information.” Second, CCPA’s original definition of “consumer” was so broad as to ostensibly include a company’s employees. AB 25 temporarily excludes employees from that definition insofar as personal information is collected and used by an employer for purposes relating to an employee’s current or former position. This exemption will apply until January 1, 2020, when the California State Legislature is expected to pass a separate employee privacy bill. Finally, the original version of CCPA allowed businesses to offer differential pricing, service levels, etc. to consumers that opt-out of the sale of their personal information. Some commentators had speculated that the Legislature might resolve this section’s apparent tension with CCPA’s general prohibition on non-discrimination against consumers that exercise their CCPA rights. AB 1355 clarifies that the differential service exception relates to the value the personal information holds for the applicable business, rather than the value it holds for the applicable consumer. On the surface, this amendment simply corrects an obvious typographical error, but the Legislature’s decision to amend rather than strike this section demonstrates that it was intended as an exception to CCPA’s prohibition on this type of discrimination.

These amendments should generally improve businesses’ ability to comply with CCPA’s expansive requirements, but CCPA compliance remains a significant challenge for businesses across a wide variety of industries.

Brexit
As of September 25, 2019, The United Kingdom (“UK”) is expected to withdraw from the European Union (“EU”) on October 31st, 2019. While the outcome of any departure agreement remains unpredictable, a ‘no-deal’ withdrawal would effectively negate all UK rights, obligations, and reciprocal arrangements with respect to the EU including those arising under the General Data Protection Regulation (“GDPR”). The United Kingdom’s Data Protection Act of 2018 domestically implemented GDPR and would continue to impose similar data protection requirements on UK organizations, but that statute’s express reliance on GDPR, European Commission decisions, and other related mechanisms may frustrate its application. Because the UK does not have an independent adequacy decision under GDPR, there will likely be no generally applicable export mechanism for transfers between the EU and UK in the event of a no-deal withdrawal. The UK Information Commissioner’s Office has urged UK and EU entities to implement Standard Contractual Clauses or Binding Corporate Rules in order to facilitate ongoing data transfers before GDPR ceases to apply to the UK on November 1st.  

Kutak Rock encourages businesses facing these issues to contact the firm’s Privacy and Data Security Group for a privacy risk assessment.

Q4: Data Privacy Updates