Two Far-Reaching CCPA Amendments You Should Know About

Two proposed amendments to the California Consumer Privacy Act (CCPA) are sure to generate mixed reactions if either passes. The first would expand individual consumer rights while the second modifies the definition of “consumer” to exclude California employees as consumers under a separate amendment, if passed.

The CCPA will affect any business collecting or storing data about California residents.  Under the CCPA requirement 1798.185, the state attorney general has obligations to develop guidance in certain vital areas. Statewide public forums were held to collect feedback on consumer opt-out procedures, a uniform opt-out button, accessibility requirements and verified consumer request processing requirements, to name a few. The comment period for the public forums concluded on March 8.

On February 22, Senate Bill (SB-561) was introduced to amend the CCPA and expand the private right of action by allowing consumers the opportunity to seek legal remedies for themselves, if their rights are violated. Also, the bill removes the 30-day cure period requirement for enforcement actions brought by the State Attorney General. California Attorney General Xavier Becerra supports the amendment bill, characterizing it as “a critical measure to strengthen and clarify the CCPA.”

Assembly Bill 25, amended on April 12, would redefine the term “consumer,” removing the requirement as it pertains to CCPA-covered employees and job applicants.  AB-25 would exclude employees and job applicants from the definition of “consumer.” The new amendment states:

“Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”

If amendment AB-25 passes, the broad rights granted to consumers under the CCPA will not apply to employees and job applicants of CCPA-covered employers.

Hypothetically, the expanded private right of action provision of SB-561, if passed, would significantly increase the business communities’ liability risks under the CCPA. While the California Attorney General is unable to bring enforcement actions until the first six months after the passage of implementing regulations or July 1, 2020, consumers may bring private rights of action on January 1, 2020, the CCPA’s compliance deadline.

Moreover, if the “consumer” definition is redefined the changes would be most beneficial to large employers that otherwise have little or no consumer data, including financial services and healthcare organizations that have carve-outs for GLBA and HIPAA data. With the proposed new interpretation, CCPA-covered employers may want to follow developments for this bill and the potential to reassess their CCPA scope. Unfortunately, this could still take months to finalize.

In sum, in order to comply with many of the CCPA’s requirements and its constant flux, businesses should look to inventory and sort all personal data collected.  Next, create a data map that traces the personal data ingested by the company and how it is collected, used, processed, stored and sold. Finally, document compliance processes, and procedures to demonstrate defensible claims against enforcement actions and or litigation.

Jeffrey Sanchez

Managing Director
Technology Consulting – Security and Privacy

Ron Naulls

Senior Manager
Technology Consulting - Security and Privacy

Subscribe to Topics

Protiviti is happy to announce that Wendy Luebbe has joined as a Managing Director for the Technology Consulting Solution. Based in Orlando and with over 20 years of experience, Wendy will focus on the Enterprise Data & Analytics segment, specializing in financial services.

Join Protiviti's Scott Laliberte and Andrew Struthers-Kennedy for thoughts on how organizations should discuss and evaluate risks and include emerging technologies as part of risk and audit reviews. http://ow.ly/oJ0a50Fx7Hx

#ITaudit #ProtivitiTech #emergingtechrisks #prowebinars

Consumer #privacy is key. Protiviti recommends focusing on three buckets and eleven requirements that cover what an organization must consider when developing personal #data privacy protections and have a relationship with #digital #identitymanagement. http://ow.ly/8BuC50FA5Hj

Protiviti’s Scott Laliberte hosted a panel with three Chief Information Security Officers on July 11th. While all faced their own distinct pandemic-related issues, many common themes emerged during the discussion. Learn more: http://ow.ly/Er9e50FA3Q3

#CISO #ProtivitiTech

Reporting and #analytics are critical for #CIOs because they structure #data to guide businesses in strategic decision making. Learn why companies must harness and use information that propels business goals. http://ow.ly/eGoR50FA2ub

#TechTransformation #enterprisetransformation

Load More...