Risk and Compliance

California Consumer Privacy Act Amendments Update & FAQs

Ron Naulls
September 24, 2019
4 min read

The California legislature finished its 2019 session on Friday, September 13, marking the end of opportunities to make changes before the bill goes into effect on January 1, 2020.

In sum, five of six CCPA amendments were passed during the 2019 legislative session.  Among the changes and clarifications included in the amendments, the most noteworthy include:

1) AB 25 exempts for one year the personnel data of California employees, yet the exemption does not remove the notice requirement under Section 1798.100 (b) or the consumer private right of action for breach under Section 1798.150;

2) AB 1355, which will expire in one year, provides an exemption under the CCPA for personal information collected in a business-to-business transaction;

3) AB 874 amends the definition of ‘personal information’ to exclude “deidentified” or “aggregate consumer information”;

4) AB 1146 clarifies the CCPA’s deletion right does not apply to terms applicable to a written warranty or product recall, and clarifies the opt-out sale right does not apply to new vehicle or ownership information for purposes of vehicle repair, warranty, or recall;

5) AB 1564 eliminates the toll-free number requirement under explicit conditions

6) AB 846, regarding customer loyalty programs, was ordered to inactive status and did not pass the 2019 legislative session.

Time is Running Out

Organizations that were waiting for final amendments to the CCPA before standing up compliance, the wait is over! Rest assured that on January 1, 2020, the CCPA will go into effect.  With a little over 90 days left until enactment, here are some FAQ‘s to help with compliance:

What is out of scope for the CCPA?

California employees and business-to-business California consumer contact information are broadly out scope under the CCPA until 2021.

GLBA, HIPPA, FCRA, and similar exemptions do apply to some personal information and data.  However, it is strongly encouraged that organizations seek professional advice over blanket exemptions because mistaken or inadvertent exemptions do not escape CCPA, FTC, or GDPR type enforcement.

On January 1, 2020, what will a Californian be able to do?

A Californian will be able to ask a business to provide the categories and specific pieces of personal information collected on them, or in general, the categories of personal information the business collects about consumers. The categories of personal information a business has sold to third parties, and the categories of personal information a business has to disclose to third parties for a business purpose are also included.

Were there any changes to the deletion, opt-out and/or non-discrimination requirements?

No, a California consumer still has the right to request that their personal information be deleted (with many exceptions) and the right to opt-out of the sale of their personal information. Section 1798.125’s non-discrimination clause remains but clarifies that a business may “offer financial incentives including payments … for the collection, … sale, or … deletion of personal information.”  Thus, if a consumer does not opt in or requests a business to not sell or delete their personal information, a business “may also offer a different, price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.” For California, privacy becomes a commodity and we anticipate many conversations will take place on how to arrive at a value when it comes to the consumer data provided.

What clarifications or exemptions are there for California’s definition of “personal information”?

Clarifications were made around the language “capable of being associated” when it pertains to a household with “reasonably capable of being associated.” Deidentified and aggregate consumer data are altogether excluded from the “Personal Information” definition.

What is the deal with the toll-free number requirement when facilitating consumer requests?

A business must provide two separate consumer request submission mechanisms. However, if the business operates exclusively online, and has a direct relationship with consumers from whom it collects personal information, an email address can be used instead of a toll-free number for consumer request submissions.

What is next?

The California Attorney General is expected to issue draft rules that will clarify notice and request verification protocols under the CCPA before the January enactment date.

Conclusion

On January 1, 2020, a substantial shift in data privacy will have a broad impact on businesses that handle personal information. For CCPA compliance, data protection programs must know where particular personal information is stored, adequately respond to the consumer, and also know to whom that information has been disclosed to, and how to access and delete if required. With a flurry of additional state bills with similar requirements in progress, businesses must bite the privacy bullet and be ready to comply with the CCPA’s prescriptive and stringent requirements.

Ron Naulls

Senior Manager
Technology Consulting - Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
2 Nov

Many often overlook the potential impact—both positive and negative—a #TechnModernization project can have on operational #resilience. #ProtivitiTech's Kim Bozzella shares her thoughts with #Forbes Technology Council. https://ow.ly/1FLA50TYIaE

Reply on Twitter 1852806697112187072 Retweet on Twitter 1852806697112187072 Like on Twitter 1852806697112187072 Twitter 1852806697112187072
protivititech Protiviti Technology @protivititech ·
1 Nov

Establishing a scalable #AI #governance framework is crucial for balancing innovation with #risk and #compliance. Dive into our latest ebook, co-authored with #OneTrust, to explore key steps and technologies that will elevate your AI governance strategy. https://ow.ly/QqKy50TVUx3

Reply on Twitter 1852320075530809735 Retweet on Twitter 1852320075530809735 Like on Twitter 1852320075530809735 Twitter 1852320075530809735
protivititech Protiviti Technology @protivititech ·
31 Oct

News reports implied that China has managed to break "military grade" encryption using quantum computers. But the truth is more complicated than that. Protiviti's #quantum expert Konstantinos Karagiannis explains it all to #VISIONbyProtiviti. https://ow.ly/Zb9z50TWNuh

Reply on Twitter 1852018952433549469 Retweet on Twitter 1852018952433549469 Like on Twitter 1852018952433549469 Twitter 1852018952433549469
protivititech Protiviti Technology @protivititech ·
31 Oct

The #IIoT can help organizations collect and analyze data to optimize operations and maximize resources. #ProtivitiTech's Kim Bozzella details how IIoT can yield benefits for businesses and the people they serve with #Forbes #Technology Council. https://ow.ly/V5I250TVLAj

Reply on Twitter 1851988257015226688 Retweet on Twitter 1851988257015226688 Like on Twitter 1851988257015226688 Twitter 1851988257015226688
protivititech Protiviti Technology @protivititech ·
31 Oct

Protiviti has earned the AWS DevOps Competency, which complements our existing Migration and Security Competencies. These competencies reflect Protiviti's ability to deliver comprehensive AWS system integration services. https://ow.ly/Baj550TWR9I

#AWSDevOps #AWSCloud #AWS

Reply on Twitter 1851821523918528853 Retweet on Twitter 1851821523918528853 Like on Twitter 1851821523918528853 1 Twitter 1851821523918528853
Load More