Two Far-Reaching CCPA Amendments You Should Know About

Two proposed amendments to the California Consumer Privacy Act (CCPA) are sure to generate mixed reactions if either passes. The first would expand individual consumer rights while the second modifies the definition of “consumer” to exclude California employees as consumers under a separate amendment, if passed.

The CCPA will affect any business collecting or storing data about California residents.  Under the CCPA requirement 1798.185, the state attorney general has obligations to develop guidance in certain vital areas. Statewide public forums were held to collect feedback on consumer opt-out procedures, a uniform opt-out button, accessibility requirements and verified consumer request processing requirements, to name a few. The comment period for the public forums concluded on March 8.

On February 22, Senate Bill (SB-561) was introduced to amend the CCPA and expand the private right of action by allowing consumers the opportunity to seek legal remedies for themselves, if their rights are violated. Also, the bill removes the 30-day cure period requirement for enforcement actions brought by the State Attorney General. California Attorney General Xavier Becerra supports the amendment bill, characterizing it as “a critical measure to strengthen and clarify the CCPA.”

Assembly Bill 25, amended on April 12, would redefine the term “consumer,” removing the requirement as it pertains to CCPA-covered employees and job applicants.  AB-25 would exclude employees and job applicants from the definition of “consumer.” The new amendment states:

“Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”

If amendment AB-25 passes, the broad rights granted to consumers under the CCPA will not apply to employees and job applicants of CCPA-covered employers.

Hypothetically, the expanded private right of action provision of SB-561, if passed, would significantly increase the business communities’ liability risks under the CCPA. While the California Attorney General is unable to bring enforcement actions until the first six months after the passage of implementing regulations or July 1, 2020, consumers may bring private rights of action on January 1, 2020, the CCPA’s compliance deadline.

Moreover, if the “consumer” definition is redefined the changes would be most beneficial to large employers that otherwise have little or no consumer data, including financial services and healthcare organizations that have carve-outs for GLBA and HIPAA data. With the proposed new interpretation, CCPA-covered employers may want to follow developments for this bill and the potential to reassess their CCPA scope. Unfortunately, this could still take months to finalize.

In sum, in order to comply with many of the CCPA’s requirements and its constant flux, businesses should look to inventory and sort all personal data collected.  Next, create a data map that traces the personal data ingested by the company and how it is collected, used, processed, stored and sold. Finally, document compliance processes, and procedures to demonstrate defensible claims against enforcement actions and or litigation.

Jeffrey Sanchez

Managing Director
Security and Privacy

Ron Naulls

Senior Manager
Technology Consulting - Security and Privacy

Subscribe to Topics

Join Protiviti's Paul Kooney and Stephen Nation as they discuss how to set up trust in an organization in tomorrow's Tech Talks at the TrustWeek 2022 Conference. http://ow.ly/HaT750JfK4Y

#ProtivitiTech #TrustWeek #privacy #security #dataprivacy

Evolving #dataprivacy laws and updates in the #OneTrust system call for a closer look at #privacy systems and processes. Join #ProtivitiTech Ismail Ali and Sam Reiter at #TrustWeek to learn how to take your OneTrust deployment to the next level. http://ow.ly/JlSU50JfHkL

Protiviti is pleased to be a Platinum Sponsor at the #TrustWeek 2022 conference. Join #ProtivitiTech and discover best practices to protect #privacy, #data #security, act sustainably and build trust with clients and within your company. http://ow.ly/1NZN50JfyYN

Embedded analytics have rapidly become one of the new “art of the possible” scenarios. Learn how platform's such as @SAP's BI Launchpad continue to develop data analytics, and enables continued organizational growth: http://ow.ly/TuRj50Jcxy0

#ProtivitiTech #SAP #DataAnalytics

We spend a lot of time thinking about how CISOs can prioritize their earliest actions and advising clients who happen to be new in their CISO roles. By taking the right steps, new CISOs can convey confidence. Read more: http://ow.ly/39sA50Jcw6J

#ProtivitiTech #TechnologyInsights

Load More...