California Consumer Privacy Act Amendments Update & FAQs

The California legislature finished its 2019 session on Friday, September 13, marking the end of opportunities to make changes before the bill goes into effect on January 1, 2020.

In sum, five of six CCPA amendments were passed during the 2019 legislative session.  Among the changes and clarifications included in the amendments, the most noteworthy include:

1) AB 25 exempts for one year the personnel data of California employees, yet the exemption does not remove the notice requirement under Section 1798.100 (b) or the consumer private right of action for breach under Section 1798.150;

2) AB 1355, which will expire in one year, provides an exemption under the CCPA for personal information collected in a business-to-business transaction;

3) AB 874 amends the definition of ‘personal information’ to exclude “deidentified” or “aggregate consumer information”;

4) AB 1146 clarifies the CCPA’s deletion right does not apply to terms applicable to a written warranty or product recall, and clarifies the opt-out sale right does not apply to new vehicle or ownership information for purposes of vehicle repair, warranty, or recall;

5) AB 1564 eliminates the toll-free number requirement under explicit conditions

6) AB 846, regarding customer loyalty programs, was ordered to inactive status and did not pass the 2019 legislative session.

Time is Running Out

Organizations that were waiting for final amendments to the CCPA before standing up compliance, the wait is over! Rest assured that on January 1, 2020, the CCPA will go into effect.  With a little over 90 days left until enactment, here are some FAQ‘s to help with compliance:

What is out of scope for the CCPA?

California employees and business-to-business California consumer contact information are broadly out scope under the CCPA until 2021.

GLBA, HIPPA, FCRA, and similar exemptions do apply to some personal information and data.  However, it is strongly encouraged that organizations seek professional advice over blanket exemptions because mistaken or inadvertent exemptions do not escape CCPA, FTC, or GDPR type enforcement.

On January 1, 2020, what will a Californian be able to do?

A Californian will be able to ask a business to provide the categories and specific pieces of personal information collected on them, or in general, the categories of personal information the business collects about consumers. The categories of personal information a business has sold to third parties, and the categories of personal information a business has to disclose to third parties for a business purpose are also included.

Were there any changes to the deletion, opt-out and/or non-discrimination requirements?

No, a California consumer still has the right to request that their personal information be deleted (with many exceptions) and the right to opt-out of the sale of their personal information. Section 1798.125’s non-discrimination clause remains but clarifies that a business may “offer financial incentives including payments … for the collection, … sale, or … deletion of personal information.”  Thus, if a consumer does not opt in or requests a business to not sell or delete their personal information, a business “may also offer a different, price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.” For California, privacy becomes a commodity and we anticipate many conversations will take place on how to arrive at a value when it comes to the consumer data provided.

What clarifications or exemptions are there for California’s definition of “personal information”?

Clarifications were made around the language “capable of being associated” when it pertains to a household with “reasonably capable of being associated.” Deidentified and aggregate consumer data are altogether excluded from the “Personal Information” definition.

What is the deal with the toll-free number requirement when facilitating consumer requests?

A business must provide two separate consumer request submission mechanisms. However, if the business operates exclusively online, and has a direct relationship with consumers from whom it collects personal information, an email address can be used instead of a toll-free number for consumer request submissions.

What is next?

The California Attorney General is expected to issue draft rules that will clarify notice and request verification protocols under the CCPA before the January enactment date.

Conclusion

On January 1, 2020, a substantial shift in data privacy will have a broad impact on businesses that handle personal information. For CCPA compliance, data protection programs must know where particular personal information is stored, adequately respond to the consumer, and also know to whom that information has been disclosed to, and how to access and delete if required. With a flurry of additional state bills with similar requirements in progress, businesses must bite the privacy bullet and be ready to comply with the CCPA’s prescriptive and stringent requirements.

Ron Naulls

Senior Manager
Technology Consulting – Security and Privacy