An Amendment to the CCPA Provides a Welcome But Brief Reprieve for B2B Businesses
The reprieve is a welcome break from the heavy compliance burden that businesses will face, especially for those whose only California personal data relates to business contacts. But is the B2B amendment to be or not to be long term? That is the question.
October 25, 2019 at 06:17 PM
8 minute read
Amy Park, left, and Aylin Kuzucan, right, with Skadden.
On Oct. 11, 2019, California Governor Gavin Newsom signed into law AB 1355, an amendment to the landmark California Consumer Privacy Act that will take effect on Jan. 1, 2020. AB 1355 provides a one-year reprieve from compliance with most provisions of the Act for a business' business-to-business (B2B) transactions. The reprieve is a welcome break from the heavy compliance burden that businesses will face, especially for those whose only California personal data relates to business contacts. But is the B2B amendment to be or not to be long term? That is the question.
Under the Act, for-profit businesses, wherever located, that collect the personal information of California consumers and meet certain revenue or information collection thresholds must: disclose to consumers what personal information is collected about them and the purposes for which it is used, disclose what personal information is sold or shared and to whom, delete a consumer's personal information if requested, allow consumers to opt out of the sale of their personal information, and not discriminate against a consumer for exercising any of their rights under the Act. The Act also imposes strict notice obligations on businesses, requiring them to notify consumers, on their websites and in their privacy policies, of consumers' access, disclosure, deletion, opt-out, and other rights. In addition, businesses that fail to maintain reasonable security over the personal information they collect are subject to private lawsuits by consumers if their failure results in a data breach.
The California Attorney General estimates that 15,000 to 400,000 businesses will be affected by the Act. Economists estimate that from 2020 to 2030, businesses will spend $467 million to $16.4 billion collectively complying with the Act.
AB 1355: Temporary Relief From Many CCPA Obligations
AB 1355 offers temporary relief from the Act's onerous demands and associated costs by specifying that, until Jan. 1, 2021, many of the statute's obligations do not apply to otherwise covered personal information that is collected as part of a communication or transaction between the business and a representative of a government agency or other business, where the transaction is made for the purpose of the business conducting due diligence about a product or service, or providing or receiving a product or service to or from the government agency or other business. Businesses whose B2B transactions fall within the amendment's scope will be relieved of all but two of the foregoing obligations: the obligation to allow consumers to opt out of the sale of their personal information, and the obligation not to discriminate. Importantly, AB 1355 does not immunize businesses against private rights of action arising out of data breaches caused by the businesses' failure to maintain reasonable security over consumers' personal information.
AB 1355 was enacted in response to businesses' concerns about the consequences of responding to consumer requests for access to, and disclosure and deletion of, information while attempting to conduct B2B due diligence. As the Senate Rules Committee observed, before deciding to invest in or do business with another business, companies routinely investigate whether that other business is reputable. The individuals whose information is examined during due diligence rarely communicate with the business conducting the diligence. Deletion, disclosure or access rights to this diligence could compromise the effectiveness of the diligence and potentially lead to retaliation against the collecting business for its use of the data. AB 1355 is intended to prevent these and other unintended consequences of compliance with the Act.
Opt-Out Obligations
Under the Act, a consumer has the right, at any time, to opt out of a business's sale of their personal information to third parties. The Act requires businesses to provide at least two designated methods for submitting opt-out requests, including, at a minimum, a link on their homepage titled "Do Not Sell My Personal Information," which links to an opt-out page. AB 1355 removed this notice requirement for B2B businesses, but still requires B2B businesses that sell consumers' personal information to accept and respond to opt-out requests. Even if your business does not provide consumers' personal information to third parties in exchange for money, it may still be engaged in a "sale" and the opt-out obligation may thus still apply. . The Act defines "sale" extremely broadly. It means "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means" the personal information of a consumer to another business or a third party "for monetary or other valuable consideration." The broad definition suggests that if personal information is provided as part of a larger business relationship, a "sale" may have occurred even if no amounts are paid directly for the data.
So what does responding to opt-out requests entail? The Act provides some direction, and on Oct. 10, 2019, the California Attorney General issued draft regulations providing additional guidance. Under the Act, a consumer can authorize someone to opt out on their behalf. Once a consumer has opted out, the business cannot request authorization to sell the consumer's personal information for a year. Under the draft regulations, which remain subject to public comment and revision, in response to an opt-out request, businesses may present consumers with the choice to opt-out of the sale of all of their personal information or only certain categories of their information, so long as the global opt-out option is more prominently presented than the alternative. Businesses that collect personal information from consumers online must also treat user-enabled privacy controls (such as browser plug-ins or privacy settings) that communicate or signal the consumer's choice to opt out as a valid request to do so. The draft regulations also provide that a request to opt-out, including in the B2B context, need not meet the onerous standards the Act imposes with respect to other consumer-permitted requests, like a request to disclose or delete their personal information.
Anti-Discrimination Obligations
Businesses whose B2B transactions fall within the scope of AB 1355 must also comply with the Act's non-discrimination provisions. While those provisions prohibit businesses from treating consumers who exercise their statutory rights differently from those who do not, the Act does permit businesses to offer different prices or services to consumers if those differences are reasonably related to the value of the consumers' data. The draft regulations explain that the value of consumers' data can be measured by the (1) marginal or average value to the business of the sale, collection, or deletion of a consumer's data or a typical consumer's data; (2) revenue or profit generated by the business from separate tiers, categories, or classes of consumers or typical consumers whose data provides differing value; (3) revenue or profit generated by the business from sale, collection, or retention of consumers' personal information; (4) expenses related to the sale, collection, or retention of consumers' personal information; (5) expenses related to the offer, provision, or imposition of any financial incentive or price or service difference; and (6) any other practical and reliable method of calculation used in good-faith.
It is unclear how the exception permitting businesses to charge different pricing or provide different services will actually work in the B2B context given the lack of identity between the consumers whose data is at issue and the recipients of the benefits (or detriments) of any differential treatment. The consumers themselves would not be the recipients of any differential pricing or services; the counter-party businesses with whom those consumers are associated would be. It remains to be seen how and if this will actually work in practice.
What's Next?
While AB 1355 provides significant relief to businesses engaged in B2B transactions, the relief is, for now, short-lived. Businesses that fall within the amendment's scope are still required to respond to opt-out requests and refrain from discrimination, including ensuring appropriate justification if they choose to offer varying prices or services for consumers that choose to forgo exercising their rights under the Act. In the long term, the amendment may not provide much relief or cost savings for businesses primarily engaged in B2B transactions. But the one-year respite will allow time for B2B businesses to plan how they will comply with the Act and enable the legislature and other interested constituents to consider whether the relief provided by AB 1355 should be extended or further amended. B2B businesses should use the year to determine how they will implement a compliance structure if the legislature decides not to extend the exemption.
Amy S. Park is a partner in Skadden Arps Slate Meagher & Flom's Palo Alto office. She focuses her practice on high-stakes commercial disputes in federal and state courts, including complex business disputes, M&A litigation, shareholder derivative suits, corporate governance disputes, internal investigations and securities class actions. Aylin Kuzucan is an associate in the firm's complex commercial litigation department.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
DOJ, 10 State AGs File Amended Antitrust Complaint Against RealPage and Big Landlords
4 minute readTrending Stories
- 1'It's Not Going to Be Pretty': PayPal, Capital One Face Novel Class Actions Over 'Poaching' Commissions Owed Influencers
- 211th Circuit Rejects Trump's Emergency Request as DOJ Prepares to Release Special Counsel's Final Report
- 3Supreme Court Takes Up Challenge to ACA Task Force
- 4'Tragedy of Unspeakable Proportions:' Could Edison, DWP, Face Lawsuits Over LA Wildfires?
- 5Meta Pulls Plug on DEI Programs
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
