California Consumer Privacy Act Amendments Update & FAQs

The California legislature finished its 2019 session on Friday, September 13, marking the end of opportunities to make changes before the bill goes into effect on January 1, 2020.

In sum, five of six CCPA amendments were passed during the 2019 legislative session.  Among the changes and clarifications included in the amendments, the most noteworthy include:

1) AB 25 exempts for one year the personnel data of California employees, yet the exemption does not remove the notice requirement under Section 1798.100 (b) or the consumer private right of action for breach under Section 1798.150;

2) AB 1355, which will expire in one year, provides an exemption under the CCPA for personal information collected in a business-to-business transaction;

3) AB 874 amends the definition of ‘personal information’ to exclude “deidentified” or “aggregate consumer information”;

4) AB 1146 clarifies the CCPA’s deletion right does not apply to terms applicable to a written warranty or product recall, and clarifies the opt-out sale right does not apply to new vehicle or ownership information for purposes of vehicle repair, warranty, or recall;

5) AB 1564 eliminates the toll-free number requirement under explicit conditions

6) AB 846, regarding customer loyalty programs, was ordered to inactive status and did not pass the 2019 legislative session.

Time is Running Out

Organizations that were waiting for final amendments to the CCPA before standing up compliance, the wait is over! Rest assured that on January 1, 2020, the CCPA will go into effect.  With a little over 90 days left until enactment, here are some FAQ‘s to help with compliance:

What is out of scope for the CCPA?

California employees and business-to-business California consumer contact information are broadly out scope under the CCPA until 2021.

GLBA, HIPPA, FCRA, and similar exemptions do apply to some personal information and data.  However, it is strongly encouraged that organizations seek professional advice over blanket exemptions because mistaken or inadvertent exemptions do not escape CCPA, FTC, or GDPR type enforcement.

On January 1, 2020, what will a Californian be able to do?

A Californian will be able to ask a business to provide the categories and specific pieces of personal information collected on them, or in general, the categories of personal information the business collects about consumers. The categories of personal information a business has sold to third parties, and the categories of personal information a business has to disclose to third parties for a business purpose are also included.

Were there any changes to the deletion, opt-out and/or non-discrimination requirements?

No, a California consumer still has the right to request that their personal information be deleted (with many exceptions) and the right to opt-out of the sale of their personal information. Section 1798.125’s non-discrimination clause remains but clarifies that a business may “offer financial incentives including payments … for the collection, … sale, or … deletion of personal information.”  Thus, if a consumer does not opt in or requests a business to not sell or delete their personal information, a business “may also offer a different, price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.” For California, privacy becomes a commodity and we anticipate many conversations will take place on how to arrive at a value when it comes to the consumer data provided.

What clarifications or exemptions are there for California’s definition of “personal information”?

Clarifications were made around the language “capable of being associated” when it pertains to a household with “reasonably capable of being associated.” Deidentified and aggregate consumer data are altogether excluded from the “Personal Information” definition.

What is the deal with the toll-free number requirement when facilitating consumer requests?

A business must provide two separate consumer request submission mechanisms. However, if the business operates exclusively online, and has a direct relationship with consumers from whom it collects personal information, an email address can be used instead of a toll-free number for consumer request submissions.

What is next?

The California Attorney General is expected to issue draft rules that will clarify notice and request verification protocols under the CCPA before the January enactment date.

Conclusion

On January 1, 2020, a substantial shift in data privacy will have a broad impact on businesses that handle personal information. For CCPA compliance, data protection programs must know where particular personal information is stored, adequately respond to the consumer, and also know to whom that information has been disclosed to, and how to access and delete if required. With a flurry of additional state bills with similar requirements in progress, businesses must bite the privacy bullet and be ready to comply with the CCPA’s prescriptive and stringent requirements.

Ron Naulls

Senior Manager
Technology Consulting - Security and Privacy

Subscribe to Topics

Protiviti is a Security Customer Champion award finalist in the @msftsecurity Excellence Awards. We are honored to join a group of industry leaders that demonstrated success across the security landscape over the past 12 months. https://ow.ly/yaHQ50R4won #MSPartner #MISA

Is your organization prepared to keep up with the ever-changing #DataPrivacy and protection regulatory landscape? Our latest insights paper can catch you up to speed: https://ow.ly/pept50QXRZS #ProtivitiTech

Mark your calendars for Protiviti’s 2024 Data Privacy and Protection webinar series. On April 25, learn how to enhance #ConsumerTrust through the user experience. On May 2, navigate the complexities of #DataGovernance in a global context. Register today! https://ow.ly/qF6a50QXOnr

Protiviti helped a #Manufacturing client realize enhanced data quality and a robust data governance program after upgrading to #SAP s/4 HANA, positioning the client for global transformation and continued success. https://ow.ly/T99450QXOGY #ProtivitiTech

Particle Physicist Dr. Harry Cliff joins The Post-Quantum Podcast to explain how #QuantumComputers can simulate particle interactions, how they can handle mind-boggling amounts of data, and his new book, Space Oddities. Listen now! https://ow.ly/i1vw50QXQng #ProtivitiTech

Load More