On Oct. 11, 2019, California Governor Gavin Newsom signed into law AB 1355, an amendment to the landmark California Consumer Privacy Act that will take effect on Jan. 1, 2020. AB 1355 provides a one-year reprieve from compliance with most provisions of the Act for a business' business-to-business (B2B) transactions. The reprieve is a welcome break from the heavy compliance burden that businesses will face, especially for those whose only California personal data relates to business contacts. But is the B2B amendment to be or not to be long term? That is the question.

Under the Act, for-profit businesses, wherever located, that collect the personal information of California consumers and meet certain revenue or information collection thresholds must: disclose to consumers what personal information is collected about them and the purposes for which it is used, disclose what personal information is sold or shared and to whom, delete a consumer's personal information if requested, allow consumers to opt out of the sale of their personal information, and not discriminate against a consumer for exercising any of their rights under the Act. The Act also imposes strict notice obligations on businesses, requiring them to notify consumers, on their websites and in their privacy policies, of consumers' access, disclosure, deletion, opt-out, and other rights. In addition, businesses that fail to maintain reasonable security over the personal information they collect are subject to private lawsuits by consumers if their failure results in a data breach.

The California Attorney General estimates that 15,000 to 400,000 businesses will be affected by the Act. Economists estimate that from 2020 to 2030, businesses will spend $467 million to $16.4 billion collectively complying with the Act.

AB 1355: Temporary Relief From Many CCPA Obligations

AB 1355 offers temporary relief from the Act's onerous demands and associated costs by specifying that, until Jan. 1, 2021, many of the statute's obligations do not apply to otherwise covered personal information that is collected as part of a communication or transaction between the business and a representative of a government agency or other business, where the transaction is made for the purpose of the business conducting due diligence about a product or service, or providing or receiving a product or service to or from the government agency or other business. Businesses whose B2B transactions fall within the amendment's scope will be relieved of all but two of the foregoing obligations: the obligation to allow consumers to opt out of the sale of their personal information, and the obligation not to discriminate. Importantly, AB 1355 does not immunize businesses against private rights of action arising out of data breaches caused by the businesses' failure to maintain reasonable security over consumers' personal information.