Two Far-Reaching CCPA Amendments You Should Know About

Two proposed amendments to the California Consumer Privacy Act (CCPA) are sure to generate mixed reactions if either passes. The first would expand individual consumer rights while the second modifies the definition of “consumer” to exclude California employees as consumers under a separate amendment, if passed.

The CCPA will affect any business collecting or storing data about California residents.  Under the CCPA requirement 1798.185, the state attorney general has obligations to develop guidance in certain vital areas. Statewide public forums were held to collect feedback on consumer opt-out procedures, a uniform opt-out button, accessibility requirements and verified consumer request processing requirements, to name a few. The comment period for the public forums concluded on March 8.

On February 22, Senate Bill (SB-561) was introduced to amend the CCPA and expand the private right of action by allowing consumers the opportunity to seek legal remedies for themselves, if their rights are violated. Also, the bill removes the 30-day cure period requirement for enforcement actions brought by the State Attorney General. California Attorney General Xavier Becerra supports the amendment bill, characterizing it as “a critical measure to strengthen and clarify the CCPA.”

Assembly Bill 25, amended on April 12, would redefine the term “consumer,” removing the requirement as it pertains to CCPA-covered employees and job applicants.  AB-25 would exclude employees and job applicants from the definition of “consumer.” The new amendment states:

“Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”

If amendment AB-25 passes, the broad rights granted to consumers under the CCPA will not apply to employees and job applicants of CCPA-covered employers.

Hypothetically, the expanded private right of action provision of SB-561, if passed, would significantly increase the business communities’ liability risks under the CCPA. While the California Attorney General is unable to bring enforcement actions until the first six months after the passage of implementing regulations or July 1, 2020, consumers may bring private rights of action on January 1, 2020, the CCPA’s compliance deadline.

Moreover, if the “consumer” definition is redefined the changes would be most beneficial to large employers that otherwise have little or no consumer data, including financial services and healthcare organizations that have carve-outs for GLBA and HIPAA data. With the proposed new interpretation, CCPA-covered employers may want to follow developments for this bill and the potential to reassess their CCPA scope. Unfortunately, this could still take months to finalize.

In sum, in order to comply with many of the CCPA’s requirements and its constant flux, businesses should look to inventory and sort all personal data collected.  Next, create a data map that traces the personal data ingested by the company and how it is collected, used, processed, stored and sold. Finally, document compliance processes, and procedures to demonstrate defensible claims against enforcement actions and or litigation.

Jeffrey Sanchez

Managing Director
Technology Consulting – Security and Privacy

Ron Naulls

Senior Manager
Technology Consulting – Security and Privacy