CCPA Amendments - What Happens Next?

The last batch of amendments to the California Consumer Privacy Act were signed by Governor Gavin Newsom on Friday, October 11th, 2019. The bill now enters a 45-day period for stakeholders to submit commentary for consideration. The Attorney General’s office invites the public to submit proposals aimed at lessening any adverse economic impact on business.

There are four meetings scheduled in early December 2019 where stakeholders can participate by submitting commentary. While it allows for possibly more amendments as the AG’s office will be fielding inquiries into justifying the enormous costs anticipated by states impact report, experts caution business leaders not to expect any radical changes. They further alert businesses to be prepared for enforcement actions to be swift and prompt once the six month grace period is over on July 1 2020.

Here is a quick snapshot of CCPA related amendments, what you need to know, and how they can potentially impact your business.

Personal Information Definition (AB-874). This amendment will likely cause a stir among data brokers and other types of online businesses that rely on consumer data. The amendment adds in the word “reasonable” to now say that it includes consumer data which “is reasonably capable of being associated with a particular consumer or household.” Since “reasonable” is open to a broad latitude of interpretation, expect this be a hot topic amongst the online advertising community.

Employers Exempt for One More Year (AB-25). This amendment offers a small reprieve to employers that have communications considered as B2B correspondence. Employee records and correspondence covered under business-to-business relationship are exempt until January 1, 2021. Additionally, it instructs consumers that have an existing account with a business to use their own account when submitting their data subject action request (DSAR).

Lifts CCPA Phone Number Requirements (AB-1564). This amendment applies to companies that operate exclusively online and have a direct relationship with their customers. Now they will only be required to provide an email address for submitting requests. Lastly, it requires any applicable business that maintains an internet website, to make the website available so consumers can submit with a DSAR.

One Year Reprieve for B2B and B2C Communications. (AB-1355). This amendment offers a small amount of breathing space for organizations that collect personal information to determine credit worthiness and standing. They are exempt until January 1, 2021 from civil action in the event they fail to reasonably maintain security controls and practices.

A short reprieve is also being extended to retail operations that keep or sell personal information contained in consumer communications for the purpose of buying or selling a product. These types of communications are also exempt from the DSAR process until January 1, 2021.

Vehicle Warranty and Recall Communications (AB-1146). The CCPA currently allows a business to sell a consumer’s data unless they opt-out of the sale. The amendment prohibits consumers from opting out of warranty or recall communications for automobiles. In addition, it allows the sharing of consumer data between a new vehicle dealer and the manufacturer. But sharing many only be conducted for repairs covered by a warranty or recall.

Data Brokers Must Register (AB-1202). Technically AB 1202 is a CCPA adjacent bill. It requires data brokers to register with the AG’s office. These organizations buy and sell consumer data to third parties. They are likely companies that most consumers are not familiar with as they have not direct relationship with consumers.

It defines data brokers as an organization that has no direct relationship to consumers, but knowingly sells consumers’ personal information to third parties. It also specifically calls out that most consumer reporting agencies and financial institutions are excluded from its purview.

Biometrics and government Identifiers (AB 1130). This amendment expands the types of personal information covered by California’s breach notification statutes to include biometric information and government identifiers, such as passport numbers or tax ID numbers.