Two Far-Reaching CCPA Amendments You Should Know About

Two proposed amendments to the California Consumer Privacy Act (CCPA) are sure to generate mixed reactions if either passes. The first would expand individual consumer rights while the second modifies the definition of “consumer” to exclude California employees as consumers under a separate amendment, if passed.

The CCPA will affect any business collecting or storing data about California residents.  Under the CCPA requirement 1798.185, the state attorney general has obligations to develop guidance in certain vital areas. Statewide public forums were held to collect feedback on consumer opt-out procedures, a uniform opt-out button, accessibility requirements and verified consumer request processing requirements, to name a few. The comment period for the public forums concluded on March 8.

On February 22, Senate Bill (SB-561) was introduced to amend the CCPA and expand the private right of action by allowing consumers the opportunity to seek legal remedies for themselves, if their rights are violated. Also, the bill removes the 30-day cure period requirement for enforcement actions brought by the State Attorney General. California Attorney General Xavier Becerra supports the amendment bill, characterizing it as “a critical measure to strengthen and clarify the CCPA.”

Assembly Bill 25, amended on April 12, would redefine the term “consumer,” removing the requirement as it pertains to CCPA-covered employees and job applicants.  AB-25 would exclude employees and job applicants from the definition of “consumer.” The new amendment states:

“Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”

If amendment AB-25 passes, the broad rights granted to consumers under the CCPA will not apply to employees and job applicants of CCPA-covered employers.

Hypothetically, the expanded private right of action provision of SB-561, if passed, would significantly increase the business communities’ liability risks under the CCPA. While the California Attorney General is unable to bring enforcement actions until the first six months after the passage of implementing regulations or July 1, 2020, consumers may bring private rights of action on January 1, 2020, the CCPA’s compliance deadline.

Moreover, if the “consumer” definition is redefined the changes would be most beneficial to large employers that otherwise have little or no consumer data, including financial services and healthcare organizations that have carve-outs for GLBA and HIPAA data. With the proposed new interpretation, CCPA-covered employers may want to follow developments for this bill and the potential to reassess their CCPA scope. Unfortunately, this could still take months to finalize.

In sum, in order to comply with many of the CCPA’s requirements and its constant flux, businesses should look to inventory and sort all personal data collected.  Next, create a data map that traces the personal data ingested by the company and how it is collected, used, processed, stored and sold. Finally, document compliance processes, and procedures to demonstrate defensible claims against enforcement actions and or litigation.

Jeffrey Sanchez

Managing Director
Security and Privacy

Ron Naulls

Senior Manager
Technology Consulting - Security and Privacy

Subscribe to Topics

Privilege access credentials are a main target attackers use to carry out #cybersecurity breaches. Join #ProtivitiTech to learn how to apply #zerotrust measures to thwart attacks. http://ow.ly/iuXH50KXwBy

#identity #security #cloud #devops #cyberattack

September is National Preparedness month and we’ve updated our Guide to Business Continuity and Resilience. Download your copy today for answers on key questions and industry perspectives. http://ow.ly/B5mF50KG4l5

#ProtivitiTech #businesscontinuity #businesscontinuitymanagement

“I’ve seen some amazing advancements in #qubit fidelity,” #ProtivitiTech @KonstantHacker said. “We don’t need perfect qubits and we need enough to do what’s called error correction.” Read more of the @CNBC interview on #quantum investing. http://ow.ly/ahaK50KXwwk

Next week, #ProtivitiTech Greg Hedges and @KonstantHacker will discuss post #quantum cryptography in this new #cybersecurity webinar series. Learn the benefits and risks of #quantumcomputing and understand the post quantum #cryptography timeline. http://ow.ly/RX1p50KIGaA

Let's transform together. Migrate and modernize your @SAP applications on @Azure increasing flexibility, scalability and security with Protiviti. Learn more: http://ow.ly/RnKa50KTJer

#ProtivitiTech #Microsoft #Azure #SAP #scalability #security

Load More