The Latest CCPA Update: Amendments to the CCPA

4 minute read

October 2019

by cybergrx

As we learned from, “A Finance Exec, A Real Estate Developer, And a Former CIA Analyst Walk Into A Bar”, on June 28, 2018 the California Consumer Privacy Act (CCPA) was passed, signed into law, and is set to take effect January 1st, 2020. However, just like all new pieces of legislation, CCPA has been carefully reviewed and heavily scrutinized by state legislators and the businesses responsible for implementation.

On Friday, September 13, 2019, California’s legislative session adjourned for 2019, meaning so did the opportunity to amend CCPA prior to its effective date. Down to the wire, lawmakers proposed changes which aim to bring clarity and understanding to those who fall under the CCPA umbrella. Let’s review some of the most recent amendments brought to the desk of Governor Newsom that are awaiting his signature.

The following are a few highlights of amendments to CCPA that have been proposed.

AB-25

  • CCPA excludes personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. (Cal. Civ. Code § 1798.145(g)(1)(A).
  • CCPA excludes personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file. (Cal. Civ. Code § 1798.145(g)(1)(B).
  • CCPA excludes personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.”(Cal. Civ. Code § 1798.145(g)(1)(c).

Translation: Employee personal information will be exempt from CCPA for one year.

AB-1146

  • Amending to exclude the sharing of vehicle information or ownership information as between a new motor vehicle dealer and the OEM from the right to opt-out if that sharing is for warranty repair or recall purposes Cal Civ. Code § 1798.145(g)(1))
  • Clarifying the right to deletion does not apply to maintaining personal information as necessary for written warranty or product recall (Cal Civ. Code § 1798.105(d)(1)).

Translation: If you buy a car or any other product that could be recalled, a request to delete personal information will be denied. Having access to personal information could be lifesaving should a recall occur, and a consumer need to be notified.

AB-874

  • Amending to excludes information lawfully obtained from government records from the definition of “personal information” and it clarifies that de-identified or aggregate information is not “personal information.” (Cal. Civ. Code § 1798.140(o)(1)).
  • Clarifying the meaning of “publicly available” in “information security” to “information that is lawfully made available from federal, state, or local government records. ‘Publicly available’ does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.” (Cal Civ. Code § 1798.140(o)(2)).

Translation: If a business uses aggregated consumers data, they are in the clear. If passed, this type of de-identified data will also be exempt.

AB-1564

  • Clarifies that businesses must provide two or more methods for consumers to exercise their rights, including, at a minimum, a toll-free telephone number. (Cal Civ. Code § 1798.130(a)(1)(A))
  • Clarifies that if a website is maintained by a business, that business must ensure that website available to consumers to submit requests for information (Cal Civ. Code § 1798.130(a)(1)(B))
  • Adds an exception to the method of contact that permits “a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information” to only provide an email address for submitting requests to exercise various rights. (Cal Civ. Code § 1798.130(a)(1)(A)).

Translation: This one goes to the consumer. Businesses could be given more specific guidance around the means consumers have contact them and exercise their rights. Specifically, businesses will be required to have two methods of contact, while, online-only business will only require one.

While there is confidence that Governor Newsom will sign these amendments into law, other proposed changes to CCPA have not been so lucky. That said, lawmakers and businesses remain hopeful for a positive outcome in coming days, as the governor has until Sunday, October 13th to sign or veto.

CAITLIN GRUENBERG

LEAD PRIVACY ANALYST

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.