Search for:

The California legislative session ended with a bang on 13 September, when legislators passed several noteworthy amendments to the California Consumer Privacy Act (CCPA). The California governor has until 13 October to act on these amendments. We have outlined below the amendments that materially alter the original scope or requirements of the CCPA and that will impact CCPA compliance activities for many organizations.

Limited Personnel Exemption

Assembly Bill 25, the amendment exempting personal information collected from employees and other personnel from the scope of the CCPA, was passed in a revised form. Under this final version of the amendment, the rights of access, correction and opt-out of sale do not apply to employees, job applicants, owners, directors, staff, officers, contractors and medical staff (collectively, “personnel”). However, businesses will still be required to meet the notice requirements laid out in Section 1798.100 for personnel and personnel still benefit from the private right of action in the event of a data breach as provided in Section 1798.150. The same provisions apply to personal information collected from personnel in the context of providing benefits, as well as information related to personnel’s emergency contact information. Importantly, this limited exemption expires after one year. While California legislators have made an affirmative commitment that they will address employee data privacy during the course of the next year, if they fail to do so prior to 1 January 2021, personnel information obtained from personnel and/or in the context of benefits will then be subject to the full requirements of the CCPA.

Limited B2B Information Exemption

Assembly Bill 1355 provides business-to-business (B2B) companies a limited reprieve from complying with all the requirements of the CCPA in the context of communications and transactions with other companies, organizations, and government agencies. Personal information that is collected in the course of B2B communications or transactions from or about an employee, owner, director, officer or contractor of a business or government agency is exempt from most CCPA requirements. Notably, however, this exemption does not apply to the right to opt out of the sale of personal information, the obligation not to discriminate against a consumer for attempting to exercise other rights, or the private right of action in the event of a data breach. Like the limited personnel exemption, this exemption also expires after one year, at which point business contact information will be covered by the CCPA if the legislature does not take further action in the interim. This being said, B2B companies that do not sell (as this term is defined by the CCPA) business contact information will still have to closely re-examine their other California personal information collection, to determine if and to what extent they must comply with CCPA requirements for other types of personal information they collect, such as for marketing purposes with prospective customers.

Clarification to the Definition of “Personal Information”

The original text of the CCPA defined “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” — an extremely expansive definition. The amendments narrowed this definition by adding a reasonableness standard. That is, “personal information” must identify, relate to, describe, be reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household. This means that businesses will still have to evaluate whether a particular piece of personal information is capable of being associated with a consumer or household, but this association must be reasonable in light of the information and means reasonably available to the business. Further, the amendments clarify that “personal information” does not include de-identified or aggregate information, or “publicly available information” that is lawfully made available from federal, state, or local government records.

FCRA and Vehicle Industry Exemptions

The CCPA amendments also clarified two further exemptions, one related to the Fair Credit Reporting Act (FCRA) and one related to the vehicle industry. Specifically, activities related to consumer credit reports are exempt from the CCPA, to the extent that the information is subject to the FCRA and the activities are allowed by the FCRA. Previous versions of the CCPA limited this exemption to the “sale” of information from consumer reports, but the final version of the CCPA expands the scope of the exemption to all such activities.

Further, a consumer’s right to opt-out of the “sale” of personal information does not apply to vehicle information or ownership information exchanged between a car manufacturer and new car dealer, so long as the information is used to carry out a vehicle repair covered by warranty or recall (so long as the recipient does not sell, share or use that information for any other purpose) and the information is not further shared or sold for any other purposes.

Other Notable Amendments . . . and Those that Failed

For businesses that operate exclusively online and have a direct relationship with a consumer from whom they collect personal information, only one method of access or deletion request will be required to be provided — an email address for submitting requests. This clarification has a significant impact on those businesses that operate exclusively online, since they will no longer be required to set-up a toll-free number in order to comply with CCPA requirements.

One important amendment, Assembly Bill 846, which would have protected certain loyalty programs, was removed from consideration and tabled until next year. This amendment addressed loyalty reward, discount and similar programs, and included a prohibition on the sale of personal information collected as part of those programs, as well as a limited exception to that prohibition.


Brian Hengesbaugh is chair of the Firm's Global Data Privacy and Security Business Unit, a Member of the Firm's Global IP Tech Steering Committee, and a Member of the Firm's Financial Institutions' Group. Brian is listed in The Legal 500 Hall of Fame and was recognized as a Regulatory & Compliance Trailblazer by the National Law Journal. He is also listed as a Leading Lawyer for Cyber law (including data protection and privacy) in The Legal 500 and is listed in Chambers. Formerly Special Counsel to the General Counsel of the US Department of Commerce, Brian played a key role in the development and implementation of the US Government’s domestic and international policy in the area of privacy and electronic commerce. In particular, he served on the core team that negotiated the US-EU Safe Harbor Privacy Arrangement (Safe Harbor), and earned a Medal Award from the US Department of Commerce for this service. In addition, Brian participated on behalf of the United States in the development of a draft Council of Europe Treaty on Cyber Crime, and in the negotiation of a draft Hague Convention on Jurisdiction and the Recognition of Foreign Judgments. Brian has been quoted in the Wall Street Journal, New York Times, Forbes, CNET, Slate Magazine, Compliance Weekly, BNA Bloomberg, PCWorld and other news publications on global privacy and security issues.


Michael Egan advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer. He focuses on these issues in the context of: global company operations and applications, including websites, mobile and e-commerce applications; data security breach and incident response; transactions; litigation; internal investigations; and government inquiries. He has represented companies before numerous government authorities, including the US Federal Trade Commission, the US Department of Justice and the US Securities and Exchange Commission.


Cristina G. Messerschmidt is an associate in the Privacy and Security practice group based in Chicago, advising global organizations on privacy and data security compliance requirements, as well as data security incident response.