California Consumer Privacy Act Amendments Update & FAQs

The California legislature finished its 2019 session on Friday, September 13, marking the end of opportunities to make changes before the bill goes into effect on January 1, 2020.

In sum, five of six CCPA amendments were passed during the 2019 legislative session.  Among the changes and clarifications included in the amendments, the most noteworthy include:

1) AB 25 exempts for one year the personnel data of California employees, yet the exemption does not remove the notice requirement under Section 1798.100 (b) or the consumer private right of action for breach under Section 1798.150;

2) AB 1355, which will expire in one year, provides an exemption under the CCPA for personal information collected in a business-to-business transaction;

3) AB 874 amends the definition of ‘personal information’ to exclude “deidentified” or “aggregate consumer information”;

4) AB 1146 clarifies the CCPA’s deletion right does not apply to terms applicable to a written warranty or product recall, and clarifies the opt-out sale right does not apply to new vehicle or ownership information for purposes of vehicle repair, warranty, or recall;

5) AB 1564 eliminates the toll-free number requirement under explicit conditions

6) AB 846, regarding customer loyalty programs, was ordered to inactive status and did not pass the 2019 legislative session.

Time is Running Out

Organizations that were waiting for final amendments to the CCPA before standing up compliance, the wait is over! Rest assured that on January 1, 2020, the CCPA will go into effect.  With a little over 90 days left until enactment, here are some FAQ‘s to help with compliance:

What is out of scope for the CCPA?

California employees and business-to-business California consumer contact information are broadly out scope under the CCPA until 2021.

GLBA, HIPPA, FCRA, and similar exemptions do apply to some personal information and data.  However, it is strongly encouraged that organizations seek professional advice over blanket exemptions because mistaken or inadvertent exemptions do not escape CCPA, FTC, or GDPR type enforcement.

On January 1, 2020, what will a Californian be able to do?

A Californian will be able to ask a business to provide the categories and specific pieces of personal information collected on them, or in general, the categories of personal information the business collects about consumers. The categories of personal information a business has sold to third parties, and the categories of personal information a business has to disclose to third parties for a business purpose are also included.

Were there any changes to the deletion, opt-out and/or non-discrimination requirements?

No, a California consumer still has the right to request that their personal information be deleted (with many exceptions) and the right to opt-out of the sale of their personal information. Section 1798.125’s non-discrimination clause remains but clarifies that a business may “offer financial incentives including payments … for the collection, … sale, or … deletion of personal information.”  Thus, if a consumer does not opt in or requests a business to not sell or delete their personal information, a business “may also offer a different, price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.” For California, privacy becomes a commodity and we anticipate many conversations will take place on how to arrive at a value when it comes to the consumer data provided.

What clarifications or exemptions are there for California’s definition of “personal information”?

Clarifications were made around the language “capable of being associated” when it pertains to a household with “reasonably capable of being associated.” Deidentified and aggregate consumer data are altogether excluded from the “Personal Information” definition.

What is the deal with the toll-free number requirement when facilitating consumer requests?

A business must provide two separate consumer request submission mechanisms. However, if the business operates exclusively online, and has a direct relationship with consumers from whom it collects personal information, an email address can be used instead of a toll-free number for consumer request submissions.

What is next?

The California Attorney General is expected to issue draft rules that will clarify notice and request verification protocols under the CCPA before the January enactment date.

Conclusion

On January 1, 2020, a substantial shift in data privacy will have a broad impact on businesses that handle personal information. For CCPA compliance, data protection programs must know where particular personal information is stored, adequately respond to the consumer, and also know to whom that information has been disclosed to, and how to access and delete if required. With a flurry of additional state bills with similar requirements in progress, businesses must bite the privacy bullet and be ready to comply with the CCPA’s prescriptive and stringent requirements.

Ron Naulls

Senior Manager
Technology Consulting - Security and Privacy

Subscribe to Topics

Are you interested in becoming a #quantum coder? The #quantumcomputing industry is struggling to find talent. Join #ProtivitiTech host @KonstantHacker for a chat about the path to this exciting career with Peter Noell from @ColdQuanta. http://ow.ly/JkKv50KRRcW

In this #ProtivitiTech webinar, we will walk through #security breach case studies we have responded to, break down how attackers targeted and exploited the environments, and how the attacker was able to evade detection or exfiltrate #data. Register now: http://ow.ly/wFL950KQRiZ

In this #ProtivitiTech webinar, hear from panelists that are leading the way in #cybersecurity as they share their experiences on how #genderdiversity plays into the broader #talentgap and the consequences organizations will face if not addressed. http://ow.ly/KM6x50KLT9N

Business continuity and resilience are critical topics in boardrooms and among the C-suite. We have updated our guide to answer key questions, no matter the industry you’re in. Download your copy today. http://ow.ly/f75v50KPwUM

#ProtivitiTech #businesscontinuity

Identifying #cybersecurity issues and creating #riskmanagement plans can be complex. A #CISO who provides relatable information will help in planning for cybersecurity needs. Read more from #ProtivitiTech Terry Jost and Andy Retrum in @AgendaWeek. http://ow.ly/6tna50KPmi4

Load More