Two Far-Reaching CCPA Amendments You Should Know About

Two proposed amendments to the California Consumer Privacy Act (CCPA) are sure to generate mixed reactions if either passes. The first would expand individual consumer rights while the second modifies the definition of “consumer” to exclude California employees as consumers under a separate amendment, if passed.

The CCPA will affect any business collecting or storing data about California residents.  Under the CCPA requirement 1798.185, the state attorney general has obligations to develop guidance in certain vital areas. Statewide public forums were held to collect feedback on consumer opt-out procedures, a uniform opt-out button, accessibility requirements and verified consumer request processing requirements, to name a few. The comment period for the public forums concluded on March 8.

On February 22, Senate Bill (SB-561) was introduced to amend the CCPA and expand the private right of action by allowing consumers the opportunity to seek legal remedies for themselves, if their rights are violated. Also, the bill removes the 30-day cure period requirement for enforcement actions brought by the State Attorney General. California Attorney General Xavier Becerra supports the amendment bill, characterizing it as “a critical measure to strengthen and clarify the CCPA.”

Assembly Bill 25, amended on April 12, would redefine the term “consumer,” removing the requirement as it pertains to CCPA-covered employees and job applicants.  AB-25 would exclude employees and job applicants from the definition of “consumer.” The new amendment states:

“Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”

If amendment AB-25 passes, the broad rights granted to consumers under the CCPA will not apply to employees and job applicants of CCPA-covered employers.

Hypothetically, the expanded private right of action provision of SB-561, if passed, would significantly increase the business communities’ liability risks under the CCPA. While the California Attorney General is unable to bring enforcement actions until the first six months after the passage of implementing regulations or July 1, 2020, consumers may bring private rights of action on January 1, 2020, the CCPA’s compliance deadline.

Moreover, if the “consumer” definition is redefined the changes would be most beneficial to large employers that otherwise have little or no consumer data, including financial services and healthcare organizations that have carve-outs for GLBA and HIPAA data. With the proposed new interpretation, CCPA-covered employers may want to follow developments for this bill and the potential to reassess their CCPA scope. Unfortunately, this could still take months to finalize.

In sum, in order to comply with many of the CCPA’s requirements and its constant flux, businesses should look to inventory and sort all personal data collected.  Next, create a data map that traces the personal data ingested by the company and how it is collected, used, processed, stored and sold. Finally, document compliance processes, and procedures to demonstrate defensible claims against enforcement actions and or litigation.

Jeffrey Sanchez

Managing Director
Technology Consulting – Security and Privacy

Ron Naulls

Senior Manager
Technology Consulting - Security and Privacy

Subscribe to Topics

In this interview with @helpnetsecurity, Protiviti's David Taylor explains why #ransomwareattacks are so effective, what makes organizations vulnerable to attacks and what they can do to better protect themselves. http://ow.ly/su1m50GwBSt

#ProtivitiTech #ransomware #cybersecurity

As businesses compete for #quantum compute time, things can get complicated. @Strangeworks provides shorter queue times and cost and access control for customers. Join @KonstantHacker as he chats on this with Cesar Rodriguez from @Strangeworks. http://ow.ly/jERF50Gvo0W

Read this #SAP Blog to learn five considerations that have improved #ROI for our clients, highlight new ways of working and the art of the possible in the organization’s future #S4HANA system compared to ECC 6.x systems. http://ow.ly/WE5I50GuBRT

#ProtivitiTech #analytics #cloud

The intersection of #5G and #edgecomputing technologies will reinvent industries, change the way #security is implemented and revolutionize business operations. Learn in #Technology Insights why 5G and edge computing impacts approaches to security: http://ow.ly/hut750Gu2Um

Digitally transforming business with #Dynamics365 CE provides organizations with easy configuration and #integration with other #Microsoft products, fewer post-deployment issues and can be accessed anywhere. Read more in the #Technology Insights blog: http://ow.ly/AueX50GqQZs

Load More...