A Summary of the CCPA Amendments and the Impacts to Businesses
Hot off the presses are amendments to the California Consumer Privacy Act (CCPA) passed by the California legislature September 13, 2019 and now await the Governor’s signature by October 13, 2019.
The short summary is as follows:
- AB 25 passed which exempts employee data for one year. Bill exempts employee data from CCPA’s scope until January 21, 2021.
- AB 1564 adds an exception for the toll-free number requirement for businesses. It permits “a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information” to only provide an email address for submitting requests to exercise various CCPA rights.
- AB 874 adds ‘reasonable’ to the definition of PI, and removes the restriction on the use of publicly available information. In this context, public available means information that is lawfully made available from federal, state, or local government
- AB 1355 adds an exclusion of deidentified and aggregate information from definition of personal information and make other clean-up changes
- It also adds a B2B Exception that provides one-year exemption (until January 1, 2021) for personal information collected by a business through B2B transactions, with specific limitations:
- information is collected in the context of the business conducting due diligence regarding a company, nonprofit, or government agency, or
- the information is collected in the provision or receipt of a product or service to or from a company, nonprofit, or government agency .
- FCRA Expansion: clarifies that use or disclosure of personal information by a consumer reporting agency, furnisher of information, or user of a consumer report (such as, an employer), is exempt from the CCPA, so long as that activity is regulated by the FCRA.
Note that this Exemption does not apply in the event of a data breach that would be actionable under the CCPA’s private right of action
- The bill also removes beneficiary and emergency contact data from the law’s scope.
- Unclear whether third party HR vendors who receive employee personal information and only use it within the context of the consumer’s employment role are also excluded.
- AB 1202 creates a data broker registry similar to Vermont’s that went into effect January 1, 2019.
- Organizations should determine whether their “sales” under CCPA make them a “data broker” in CA.
- “Data broker” defined as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions
Significant bills that didn’t pass:
- AB 846 exempting loyalty programs from non-discrimination provisions. This will continue to put ambiguity around if loyalty programs qualify as the “sale of data”
- AB 2181 Requiring businesses to disclose their use of facial recognition technology
- AB 981 Exempting insurance transactions from deletion and opt-out of sale request when necessary to complete insurance transactions for product or services
CCPA Enforcement begins July 1, 2020 though the law is effective January 1, 2020 at which time consumers can begin requesting their individual rights. Those individual rights have a 12 month look back period so it is imperative that companies not delay in their preparation.
Schedule a short consultation with our team of experts today. We’ll discuss the appropriate next steps for your company to ensure timely compliance with CCPA.