Consumer Protection Laws

California Consumer Privacy Act Update: What Has Changed and What Remains the Same?

by Brian Hengesbaugh, Michael Egan and Cristina Messerschmidt - Global Compliance News

The California legislative session ended with a bang on 13 September, when legislators passed several noteworthy amendments to the California Consumer Privacy Act (CCPA). The California governor has until 13 October to act on these amendments. We have outlined below the amendments that materially alter the original scope or requirements of the CCPA and that will impact CCPA compliance activities for many organizations.

Limited Personnel Exemption

Assembly Bill 25, the amendment exempting personal information collected from employees and other personnel from the scope of the CCPA, was passed in a revised form. Under this final version of the amendment, the rights of access, correction and opt-out of sale do not apply to employees, job applicants, owners, directors, staff, officers, contractors and medical staff (collectively, “personnel”). However, businesses will still be required to meet the notice requirements laid out in Section 1798.100 for personnel and personnel still benefit from the private right of action in the event of a data breach as provided in Section 1798.150. The same provisions apply to personal information collected from personnel in the context of providing benefits, as well as information related to personnel’s emergency contact information. Importantly, this limited exemption expires after one year. While California legislators have made an affirmative commitment that they will address employee data privacy during the course of the next year, if they fail to do so prior to 1 January 2021, personnel information obtained from personnel and/or in the context of benefits will then be subject to the full requirements of the CCPA.

Limited B2B Information Exemption

Assembly Bill 1355 provides business-to-business (B2B) companies a limited reprieve from complying with all the requirements of the CCPA in the context of communications and transactions with other companies, organizations, and government agencies. Personal information that is collected in the course of B2B communications or transactions from or about an employee, owner, director, officer or contractor of a business or government agency is exempt from most CCPA requirements. Notably, however, this exemption does not apply to the right to opt out of the sale of personal information, the obligation not to discriminate against a consumer for attempting to exercise other rights, or the private right of action in the event of a data breach. Like the limited personnel exemption, this exemption also expires after one year, at which point business contact information will be covered by the CCPA if the legislature does not take further action in the interim. This being said, B2B companies that do not sell (as this term is defined by the CCPA) business contact information will still have to closely re-examine their other California personal information collection, to determine if and to what extent they must comply with CCPA requirements for other types of personal information they collect, such as for marketing purposes with prospective customers.

Read more:

Credit reporting agencies sue Maine over two new consumer protection laws

by Caitlin Andrews - BDN

AUGUSTA, Maine (BDN) -- An association representing three of the nation’s largest credit reporting agencies sued the state of Maine in federal court last week over two new consumer protection laws that affect credit ratings and deal with medical debt and economic abuse.

The Consumer Data Industry Association, whose membership includes credit reporting agencies Experian, Equifax and TransUnion, said in a complaint filed Sept. 26 in U.S. District Court that two laws that went into effect a week earlier violate the Fair Credit Reporting Act and will “undermine the accuracy, integrity and reliability” of consumer report information.

One of the laws prevents reporting agencies from reporting medical debt on a consumer report until the debt is 180 days old and instructs agencies to treat medical debt the same as a credit transaction if the consumer is paying the debt off regularly.

The other instructs reporting agencies to investigate if a person claims their debt is the result of economic abuse. This can include instances where access to money or bank accounts is obstructed, resources like food or shelter are withheld or an abuser creates fraudulent debt in a victim’s name, according to the law’s text. If abuse is found, the agencies have to remove any references to debt generated as a result of the abuse from the victim’s credit report.

Read more: