Holland & Knight - California Consumer Privacy Act Newsletter - October 2019 by Holland & Knight

California Consumer Privacy Act Amendments Head to Gov. Newsom's Desk 加州消费者隐私法案修正案正提交到纽森州长办公室 October 2019 | 2019 年 10 月

Holland & Knight is a U.S.-based global law firm committed to provide high-quality legal services to our clients. We provide legal assistance to companies doing business or making investments in the United States and Latin America. With more than 1,300 professionals in 28 offices, our lawyers and professionals are experienced in all of the interdisciplinary areas necessary to guide clients through the opportunities and challenges that arise throughout the business or investment life cycles. We assist clients in areas such as international business, mergers and acquisitions, technology, healthcare, real estate, environmental law, private equity, venture capital, financial services, taxation, intellectual property, private wealth services, data privacy and cybersecurity, labor and employment, ESOPs, regulatory and government affairs, and dispute resolutions.

霍兰德奈特律师事务所是一家位于美国的全球性法律事务所，我们致力于向客户提供高质量的法律服务。我们向在美国及拉丁美洲进行商业活动或投资的公司提供他们所需的各类法律协助。我们在 28 个办公室的 1300 多名对各领域有经验的律师及专业人员能够协助客户处理他们在经营或投资过程中所遇到的各种机会及挑战。我们向客户提供法律协助的领域包括国际商业、企业并购、科技法律、医疗法律、房地产、环保法律、私募基金、创投基金、金融法律服务、税务、知识产权、私人财富管理法律服务、信息隐私及网络安全、劳动及雇佣法律、员工持股计划、法令遵循及政府法规、及争议解决。

California Consumer Privacy Act Amendments Head to Gov. Newsom's Desk By Ashley L. Shively

HIGHLIGHTS:  The California State Legislature has passed five bills to amend the state's landmark privacy legislation, the California Consumer Privacy Act (CCPA). Gov. Gavin Newsom has until Oct. 13, 2019, to sign or veto the legislation, and the order in which he enacts bills will determine whether some overlapping provisions of the bills are enacted or not.  Further complicating companies' efforts to operationalize the CCPA is the fact that regulations are still forthcoming. The state attorney general is expected to release draft regulations sometime this fall.  In the absence of comprehensive federal privacy legislation, California has moved forward on its own, and the CCPA will come into effect on Jan. 1, 2020, alongside a number of other generally pro-consumer privacy laws.

Five bills to amend California's landmark privacy legislation, the California Consumer Privacy Act (CCPA), passed the California State Legislature in mid-September 2019 and now head to Gov. Gavin Newsom's desk. (See Holland & Knight's previous alert, "California Consumer Privacy Act Update: Assembly Approves 12 Amendments," June 6, 2019.) ____________________________________________________________________________

NEW EXEMPTIONS TO PORTIONS OF THE ACT Employees Are Out of Scope (Partially and at Least for Now). Introduced to address industry concern that employees would be covered by CCPA's broad definitions, AB 25 would exempt from most provisions of the Act personal information collected by a business from "a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business" when the individual is acting in such capacity. The bill includes two notable exemptions: 1. A business would still be required to inform applicants, employees, contractors, etc. as to the categories of personal information to be collected by the business in the course of the individual acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of or contractor of that business 2. Applicants, employees, contractors, etc. would still be entitled to bring a private right of action for a data breach under Section 1798.150 Unless the legislature acts next year, the exemption would sunset on Jan. 1, 2021, and applicants, employees, contractors, etc. would be within the scope of the Act for all purposes, meaning such individuals could then make access and deletion requests to prospective, current and former employers. Some Vehicle Information Exempted. AB 1146 would exempt vehicle information — VIN, make, model, year, odometer reading, and name and contact information of the registered owner — retained or shared between a new motor vehicle dealer and the vehicle's manufacturer, if such information is shared for the purpose of Copyright © 2019 Holland & Knight LLP All Rights Reserved

effectuating repairs covered by a warranty or recall, and provided that such information is not used, shared or sold for any other purpose.

CHANGES TO CONSUMER RIGHTS REQUEST PROCESS Two bills would make changes to the consumer rights request process. Online Businesses Need Not Provide Telephone Number for Rights Requests. AB 1564 would reduce the burden on online-only businesses, and permit such businesses to provide only an email address for consumers to submit rights requests. Reasonable Authentication Measures Acceptable. To address concern about potentially fraudulent or malicious consumer rights requests, AB 25 would authorize a business to require authentication of the consumer that is reasonable in light of the nature of the personal information requested. The bill would also authorize a business to require a consumer/account holder to submit a verifiable consumer request through an account that the consumer maintains with the business. A business would still be prohibited from requiring a consumer to create an account in order to submit a request. Businesses Need Not Delete Warranty-Related Information. AB 1146 would add a new circumstance where a business need not delete personal information: to fulfill the terms of a written warranty or product recall conducted in accordance with federal law. Clarification of Non-Discrimination Provision. Current law provides that a business cannot discriminate against a consumer for exercising his or her CCPA rights, except that a business may offer a different price, rate, level or quality of goods or services to the consumer if the differential treatment is reasonably related to the value provided to the consumer by the consumer's data. AB 1355 would revise that language to clarify permissible discrimination must be reasonably related to the value provided to the business by the consumer's data.

UPDATES TO THE DEFINITION OF PERSONAL INFORMATION Three bills would make a variety of changes to the definition of personal information under the Act. Information Must Be Reasonably Associated with an Individual. AB 874 would revise the definition of "personal information" to add a reasonable requirement to information that could be associated with a particular individual or household. If signed, personal information would be defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Unrestricted Use of Publicly Available Government Records. While the CCPA excludes from the definition of "personal information" data that is lawfully made available from federal, state or local records, existing law specifies that such information is not "publicly available" if it is used for a purpose that is not compatible with the purpose for which such information is maintained. If signed, AB 874 would delete that use restriction and instead provide that "publicly available" information is simply information that is lawfully made available from federal, state or local records. Clarification on Use of Deidentified or Aggregate Information. AB 874 and AB 1355 would each correct an apparent typo in the existing law and clarify that deidentified or aggregate consumer information is not "personal information" (rather than not "publicly available" information as stated in the existing law). Copyright ÂŠ 2019 Holland & Knight LLP All Rights Reserved

SURPRISE FAILURE: BILL TO PROTECT LOYALTY PROGRAMS DOESN'T COME UP FOR VOTE The big surprise last week was that the bill to expressly protect loyalty programs, AB 846, was pulled from consideration and moved to the inactive file. The bill was introduced to address a concern raised by businesses that a consumer's deletion request could require the deletion of loyalty program data and perks, a result that 1) at least arguably would conflict with the CCPA's anti-discrimination provision and 2) runs contrary to marketing departments' typical desire to keep people enrolled. Support by companies dwindled, however, after the Senate Judiciary Committee forced an amendment that would have limited how businesses could use data collected in connection with a loyalty program. Privacy advocates never got behind the bill, pointing to the various exemptions from deletion found in the CCPA, and the fact that the Act permits a business to provide a different price or quality of goods if the difference is reasonably related to the value provided to the business by the consumer's data.

WHAT HAPPENS NEXT? Gov. Newsom has until Oct. 13, 2019, to sign or veto the legislation, and the order in which he enacts bills will determine whether some overlapping provisions of the bills are enacted or not. Further complicating companies' efforts to operationalize the CCPA is the fact that regulations are still forthcoming. The state attorney general is expected to release draft regulations sometime this fall.

CALIFORNIA LEADING THE WAY ON PRIVACY In the absence of comprehensive federal privacy legislation, California has moved forward on its own, and the CCPA will come into effect alongside a number of other generally pro-consumer privacy laws. Data Broker Registry. If signed, AB 1202 would establish a public registry of names, addresses and contact information for data brokers â&#x20AC;&#x201D; companies that knowingly collect and sell the personal information of California consumers with whom they do not have a direct relationship. (The bill incorporates the broad definitions of "collect," "sell" and "personal information" as used in CCPA.) Exempted from the definition of a data broker are: 1. a consumer reporting agency to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) 2. a financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations 3. an entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 1791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code) On or before Jan. 31 following each year in which a business meets the definition of data broker, a business would have to register with the state attorney general's office and pay a fee. A data broker who fails to register would be subject to an injunction and civil penalties ($100 per day), fees and costs in an action brought by the attorney general.

Unlike Vermont's data broker law, the California law does not include standalone information security or computer system security requirements. However, the registry would exist alongside the CCPA, which imposes a general duty on all businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information collected and used. Cal. Civ. Code §1798.150. Other California privacy laws coming into effect on Jan. 1, 2020, include: Security of Connected Devices, California Civil Code §§1798.91.04, will ban "default" passwords for connected devices, and require manufacturers to equip such devices with reasonable security features appropriate to the nature of the device and the information collected. Parent's Accountability and Child Protection Act, California Civil Code §§1798.99 et seq., will require an entity that conducts business in California to take reasonable steps to ensure that the purchaser of select goods or services is of legal age at the time of the purchase. If signed by Gov. Newsom, AB 1138 would amend the Parent's Accountability and Child Protection Act to require a business that operates a social media website or application to obtain consent from the parent or guardian of its users under age 13, beginning July 1, 2021. For additional information regarding the CCPA or the latest developments detailed in this article, contact the author.

加州消费者隐私法案修正案正提交到纽森州长办公室原文作者：Ashley L. Shively

重点摘要  加州立法机关已经通过了五项法案来修订加州具有里程碑意义的隐私立法，即《加州消费者隐私法案》（ CCPA）。纽森州长在 2019 年 10 月 13 日前必须签署或否决这项立法，他颁布法案的顺序也将决定法案中的一些重叠条款是否被颁布。  进一步将公司为遵循 CCPA 的努力复杂化的是，施行规则仍在制定之中。预计州检察长将在今年秋天发布施行规则草案。  在没有全面的联邦隐私立法的情况下，加州自行推进了这项法案，而 CCPA 将同时与其他几个一般倾向有利消费者的隐私法案于 2020 年 1 月 1 日生效。加州具里程碑意义的隐私立法《加州消费者隐私法案》（CCPA）于 2019 年 9 月中旬获得加州立法机关的通过，目前正提交到纽森州长的办公室。（请见 Holland & Knight 先前的法律提示专栏文章“加州消费者隐私法案更新：议会批准 12 项修正案”、2019 年 6 月 6 日）。

____________________________________________________________________________

对法案部分的新的豁免员工不在适用范围之内（部分且至少现在不适用）。引入众议院第 25 号法案是为了解决行业所关注员工将被 CCPA 的广泛定义所涵盖的问题，众议院第 25 号法案将免除企业在以下人士以各该身份行事时，自其求职者、雇员、所有人、董事、高级职员、医护人员或承包商处收集的个人信息的大部分规定。该法案包括两项值得注意的豁免： 1. 企业仍需告知求职者、雇员、承包商等，在个人担任该企业的求职者、雇员、所有人、董事、高级职员、医护人员或承包商期间，企业将收集的个人信息类别。 2. 求职者、雇员、承包商等仍有权根据第 1798.150 条就数据泄露提起私人诉讼。除非立法机关明年有所行动，否则豁免将于 2021 年 1 月 1 日落幕，而求职者、雇员、承包商等将为所有目的被包含于法案范围内，这意味着这些个人之后可能可以向未来、现在和以前的雇主提出信息获取和删除的请求。一些车辆信息被豁免。众议院第 1146 号法案将免除车辆信息（即由新的机动车经销商和车辆制造商保留或共享的车辆识别号、品牌、型号、年份、里程表读数以及注册车主的姓名和联系信息），如果这些信息是为了实现保修或召回范围内的维修且共享的此类信息不得为任何其他目的使用、共享或出售的话。

消费者权利申请流程的改变两项法案将对消费者权利申请流程进行修改。

在线业务不需要提供电话号码供权利请求之用。众议院第 1564 号法案将减轻仅在线上运营的企业的负担，并允许此类企业只提供一个电子邮件地址，供消费者提出权利请求。可接受合理的认证措施。为了解决对潜在欺诈或恶意消费者权利请求的担忧，众议院第 25 号法案将授权企业根据所请求的个人信息的性质要求对消费者进行合理的认证。该法案还将授权企业要求消费者/账户持有人通过消费者与企业维持的账户提交可核实的消费者请求。但企业仍将被禁止要求消费者创建帐户以提交请求。企业无需删除保修相关信息。众议院第 1146 号法案将增加一种新的情况，即企业为履行书面保证条款或根据联邦法律进行的产品召回时不需要删除个人信息。澄清不歧视条款。现行条文规定，企业不得歧视消费者行使其 CCPA 的权利，但如果差别待遇与消费者的数据带给消费者的价值合理相关，企业可以向消费者提供不同的价格、费率、水平或质量的商品或服务。众议院第 1355 号法案将修改该语言，以澄清允许的歧视必须与消费者的数据带给企业的价值合理相关。

个人信息定义的更新三项法案将对本法案下的个人信息定义作出不同的修改。信息必须与个人合理相关。众议院第 874 号法案将修订“个人信息”的定义，对可能与特定个人或家庭有关的信息增加合理要求。如经签署，个人信息将被定义为识别、涉及、描述、能够合理地与某一特定消费者或家庭相关或可以合理地直接或间接地与之相关联的信息。不受限制地使用公开的政府记录。虽然 CCPA 将从联邦、州或地方记录中合法获得的“个人信息”数据的定义排除在外，但现有法律规定，如果此类信息用于与维护此类信息的目的不兼容的目的，则此类信息不是“可公开获得的”。如经签署，众议院第 874 号法案将删除该使用限制，并取代地规定“公开可用”信息只是从联邦、州或地方记录中合法提供的信息。对使用解除识别或聚合信息的澄清。众议院第 874 号法案和众议院第 1355 号法案将各自更正现有法律中明显的错别字，并澄清解除识别或聚合的消费者信息不是“个人信息”（而不是现有法律中所述的“可公开获取的”信息）。

意外挫折：保护消费者忠诚会员计划的法案没有被提交表决上周令人大吃一惊的是，明确保护消费者忠诚会员计划的众议院第 846 号法案的审议被取消，改为没有动静的文件。该法案的提出是为了解决企业提出的一个问题，即消费者的删除请求可能需要删除忠诚会员计划的数据和优惠，其结果是：1）至少可以说与 CCPA 的反歧视规定相冲突，2）与市场营销部门维持会员注册的一般愿望背道而驰。然而，在参议院司法委员会强力修改一项限制企业如何使用与忠诚会员计划相关的数据后，企业的支持减少了。隐私权倡导者从未支持这项法案，他们指出，在 CCPA 中发现的各种免删条款，以及该法案允许企业提供不同价格或质量的商品，如果这些差异与消费者数据向企业提供的价值合理相关。

接下来会发生什么？纽森州长在 2019 年 10 月 13 日前必须签署或否决这项立法，而他颁布法案的顺序将决定法案中的一些重叠条款是否被颁布。进一步将公司为遵循 CCPA 的努力复杂化的是，施行规则仍在制定之中。预计州检察长将在今年秋天发布施行规则。

加州在隐私方面领先在没有全面的联邦隐私立法的情况下，加州已经自行推进其 CCPA，且 CCPA 将与其他几个一般倾向有利于消费者隐私的法律一起生效。数据代理经纪人注册。如经签署，众议院第 1202 号法案将为数据经纪人建立一个名称、地址和联系信息的公共支持系统，数据经纪人即为在明知的情况下收集和出售与其没有直接关系的加州消费者的个人信息的公司。（法案包含了 CCPA 中使用的“收集”、“出售”和“个人信息”的广泛定义。）免除于数据经纪人的定义的是： 1. 在联邦公平信用报告法（美国法典汇编第 15 章第 1681 条及其后条款）所涵括的消费者报告机构 2. 一家金融机构，如其受《格拉姆-里奇-布莱利法案》（公法 106-102）和实施条例的管辖的话 3. 《保险信息和隐私保护法》（保险法第 1 部分第 2 部分第 1 章第 6.6 条（从 1791 条开始）所涵盖的实体如果企业符合数据经纪人的定义，在每年 1 月 31 日或之前，则企业必须在州检察长办公室注册并支付费用。未注册的数据经纪人将在总检察长提起的诉讼中受到禁令和民事处罚（每天 100 美元）、费用和成本的处罚。与佛蒙特州的数据经纪人法不同的是，加州法律不包括独立的信息安全或计算机系统安全要求。然而，注册系统将与 CCPA 一起存在，CCPA 规定所有企业都有义务实施和保持与收集和使用的个人信息的性质相适应的合理安全程序和做法。加州民法第 1798.150 条。其他将于 2020 年 1 月 1 日生效的加州隐私法律包括：连接设备的安全性，加州民法第 1798.91.04 条将禁止连接设备的“默认”密码，并要求制造商为此类设备配备与设备性质和收集的信息相适应的合理安全功能。父母责任和儿童保护法案，加州民法第 1798.99 条及其后条款将要求在加州开展业务的实体采取合理措施，确保特定商品或服务的购买者在购买时达到法定年龄。如经由州长纽森签署，众议院第 1138 号法案将修改《家长责任和儿童保护法》，要求运营社交媒体网站或申请的企业从 2021 年 7 月 1 日起需获得 13 岁以下用户的家长或监护人的同意。

有关 CCPA 或此文章所说明的最新发展的的其他信息，请与作者联系。

Team Contacts 我所数据保护团队联系方式 Paul Bond Partner | Philadelphia 215.252.9535 paul.bond@hklaw.com

Zalika Pierre Associate | New York 212.513.3584 zalika.pierre@hklaw.com

Mark H. Francis Partner | New York 212.513.3572 mark.francis@hklaw.com

Ashley L. Shively Partner | San Francisco 415.743.6906 ashley.shively@hklaw.com

John P. Kern Partner | San Francisco 415.743.6918 john.kern@hklaw.com

Stacey Hsiang Chung Wang Partner | Los Angeles 213.896.2480 stacey.wang@hklaw.com

Mark S. Melodia Partner | New York 212.513.3583 mark.melodia@hklaw.com

You May Also Contact Our China Practice Attorneys For Assistance 您也可以中文与我们下列律师联系以取得协助 Hongjun Zhang, Ph.D. Partner | Washington, D.C. 202.457.5906 hongjun.zhang@hklaw.com

Mike Chiang Senior Counsel | San Francisco 415.743.6968 mike.chiang@hklaw.com