AB 1355: What You Need to Know and Why It Matters For Your Business

Oct 16, 2019 Published Article

The enactment of the California Consumer Privacy Act (“CCPA”) was faced with extensive criticism given the widespread ambiguities in the text of the statute and the lack of clear, meaningful guidance for the business affected by it. Assembly Bill No. 1355 (“AB 1355”) is one of several assembly bills passed by the California Legislature seeking to address these criticisms and clarify various elements of the CCPA text.

How Will AB 1355 Change the CCPA?

In sum, AB 1355 seeks to:

  • redefine the term “personal information” to exclude deidentified and aggregate consumer information;
  • modify certain disclosure requirements relating to a consumer’s right to request the specific pieces and categories of information collected by a business, and the consumer’s right to request that the information about the consumer be deleted;
  • exempt activity involving the disclosure of personal information by a consumer reporting agency, furnisher of information, or user of a consumer report, so long as the activity is regulated by the Fair Credit Reporting Act (“FCRA”), from the purview of the CCPA;
  • modify the private right of action for a data breach to require the breached data to be both unencrypted and unredacted (as opposed to requiring the data to be unencrypted or unredacted); and
  • create a new, one-year exemption for certain business-to-business (“B2B”) communications.

How Will AB 1355 Affect My Business?

Two of the most important changes proposed in AB 1355 are: (1) the exclusion of deidentified or aggregate consumer information from the definition of “personal information”; and (2) the one-year moratorium on the CCPA’s application to certain B2B communications.

Part of what makes the CCPA so expansive is its definition of personal information. Currently, this definition would cover information that is “capable of being associated with” a particular consumer or household. AB 1355 attempts to narrow this definition by inserting the word “reasonably” before “capable” (i.e. personal information that was “reasonably capable” of being associated with a particular consumer). AB 1355 also seeks to exclude deidentified or aggregate consumer information from the definition of “personal information.”

More importantly, AB 1355 seeks to enact a temporary exemption for businesses engaged in B2B transactions. If enacted, the CCPA would not apply to “personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency,” until January 1, 2021.

While this exclusion would provide a significant relief to businesses previously concerned that they may hold significant amounts of personal information under the CCPA’s broad definition, this exemption would not apply to the collection or use of personal information outside of the context described in the amendment. Furthermore, while businesses would be excused from the requirements of notice, deletion, and access with respect to the B2B communications specified in the amendment, the exemption would not apply to the CCPA’s non-discrimination rights or the right to opt out of the sale of a consumer’s data.

While many businesses will agree that AB 1355 is a step in the right direction, the inapplicability of the amendment to critical provisions of the CCPA (e.g. Section 1798.120 (the right to opt-out of “selling”), Section 1798.125 (price discrimination provisions), Section 1798.150 (the private right of action to sue after a data breach)) underscores why diligence and caution must be exercised to ensure compliance. Businesses still need to conduct data inventories received in the B2B context, be prepared to respond to opt-out requests, and fully understand their company’s obligations under the CCPA to ensure compliance