California Governor Gavin Newsom signed several bills that amend the various provisions under the California Consumer Privacy Act before it became effective last January 1, 2020. The amendments were drafted no less than by the Attorney General of the state of California’s office that further improves the compliance efforts for businesses operating in and out of California.
The CCPA became the first of its kind law in the United States after it was enacted in June 2018 to further enhance the law for data privacy for Californians. This provides Californians a stronger and more significant right to gain control over their personal info when transacting with businesses in and out of California. This requires businesses to be more transparent in collecting, using, and sharing information from their customers.
Although Californians welcomed the ideas for transparency and data privacy control that the CCPA has created is quite unwieldy for many businesses. This law was drafted hastily in just one week, and some parts of it are considered vague.
It has inconsistencies, and some sections are non-existent that is being cross-referenced with the law. Furthermore, CCPA requires amendments, which is why the California legislature polished it drafting errors that resulted in several amendments before it was implemented effectively last January.
The Importance of CCPA
To further explain why CCPA is important for consumers, this law was passed because of the increasing concerns on data privacy exploitation not just in California, but around the world.
This is not just a series of compliance obligations that are subject to the law that businesses have to follow, and the CCPA is important for its representation conceptually. This law is designed after the European Union’s General Data Protection Regulation (GDPR), which is to protect the personal information of the consumer and requires companies or businesses to handle it securely and safely.
Businesses are required to come up with the best for their consumers in handling their personal information, and also to accommodate their consumers’ rights that they may be exercising different privacy laws.
How Does CCPA Impact Consumers?
The CCPA focuses on providing improved privacy rights and protection to consumers in the state of California.
Businesses should always disclose the personal data they collected, sold, and disclosed when they transacted with their customers. They have to inform their consumers of the different categories of personal data collected as well as the purposes that their data will be used for.
CCPA creates a positive impact on consumers who have concerns about their data privacy and poses a challenge for businesses that operate in collecting the personal data of their consumers in California. This law is applied to all types of businesses in California, while companies outside California has to comply with its regulations whenever they transact with customers from California.
October Amendments
Last October, the Attorney General’s office of the State of California issued two major amendments for CCPA that drafted implementing regulations.
Governor Newsom signed these amendments, which creates a narrowly significant application for this law that is good for one year.
The amendments that were made in October last year was under Employee Exemption along with Business-to-business (B2B) Exemption. The term exemption, however, for these amended parts of the law is just overstated, and it is instead limited to minimal rights and businesses of this law for one year.
Everyone will benefit from the full rights under CCPA beginning next year unless there is another set of amendments done.
Below is the detailed look of the two amendments and how this ease but does not erase the compliance burden for companies covered by the CCPA.
- A Limited exception with several employees’ rights for 12 months (1 year) – the amendments in this law to not include personal information which businesses collect from their applicants, current employees, the owner themselves, directors, along with contractors as well as officers. This amendment results in the disapproval of applicants for various jobs as well as employees to request their employer or former employer to delete their personal information from their system that was collected until its deadline on January 1, 2021.
- The business-to-business exception limited and expired in 1 year– Another amendment made last October was the Assembly Bill 1335 that excludes personal information that is collected by a business if it is communicating with a consumer that represents an organization. This exception is applied when the communication occurs solely within the business transaction between the business and the consumer. To put it differently, an individual whose personal info is being collected in the nature of the business or in a business-to-business environment or channel is not required to have the CCPA-conferred rights for the Notice within the Collection or have the rights to have access or request to delete their personal information.
December New Amendments
Two months after the two amendments drafted for CCPA, five new amendments were drafted by the Attorney General’s office of the State of California and signed by Governor Newsom. These amendments augmented the previous regulatory language into account with compliance planning.
These amendments are the “Update to Definition of Publicly Available PI (Personal Information) or Assembly Bill 874”, the “Expansion of Data Breach Notification Inclusive or Assembly Bill 1130”, the “Data Broker Registration or Assembly Bill 1202”, the “Consumer Requests Disclosure Methods or Assembly Bill 1564,” and the “Application of Vehicle Information, Warranties and Recalls or Assembly Bill 1146”.
For a complete rundown of the five amendments for December, check it out below.
- Update to Definition of Publicly Available PI (Personal Information) or Assembly Bill 874– This amendment was made to clarify the real definition of ‘publicly available’ information to mean that the government made available lawfully from its records. This amendment does not include the biometric information from the consumer that is collected by the business without their consent and their knowledge.
- Expansion of Data Breach Notification Inclusive or Assembly Bill 1130– This bill specifically expands the definition of personal information which to add to the different types of information that, if breached, is required to notify the consumer under the law. This covers the tax ID numbers, military ID numbers, passport numbers, and different government-issued identification numbers that are usually used for identity verification of a particular individual. This also includes the biometric data, where such data that can be part of a breach shall provide instruction on how to notify the people or entities that use this breached biometric data as an authenticator until they are no longer do so.
- Data Broker Registration or Assembly Bill 1202– This bill is required to have the registration of data brokers that should be submitted to the California State Attorney General. This provides more enforcement for authorities to penalize violators of this requirement. The attorney general is also required to make the data broker registry available publicly on their website.
- Consumer Requests Disclosure Methods or Assembly Bill 1564– This bill requires companies to provide consumers with a minimum of two methods that which requests can be submitted, one of which should be a toll-free phone number. This amendment further stipulates the surrounding consumer access requests. Businesses or companies have an exception to operate only through online if they have an existing direct relationship with their customer regarding who holds their personal information wherein an email address is allowed to submit such requests.
- Application of Vehicle Information, Warranties, and Recalls or Assembly Bill 1146– This bill exempts the vehicle information that is used or shared by a company for warranty or call-related vehicle modification or repair if the consumer opt-out of the sale right.
Future or Possible Amendments
Just last March, California’s very own Attorney General issued another round of revisions that are being proposed to become a regulation that should be implemented for CCPA. The Attorney General has published a contradiction against the earlier proposed regulations that focus on the latest changes. While several changes consist of the technical corrections and clarifications that were amended last year, several modifications proven to be significant. These modifications are expected to take effect on July 1, 2020.
The summarized changes or modifications are the “Removal of the Opt-Out/ Do Not Sell Button,” “Privacy Policy Disclosures,” “Guidance Regarding CCPA Definition of Personal Information,” “Notice of Collection Exemptions,” “Denial of Deletion Request,” “Definition of a Financial Incentive,” and “Disclosure of Sensitive Data in Responding to Requests to Know.”
As more and more businesses within California and in the US seek to comply substantially with this inconclusive new law, the legislature’s process to amend several parts of it will hopefully turn out to be a source of guidance for everyone covered by this law in the future. It is undeniable that this new law is very promising, which is why the legislature is continuing to find the best ways to work around and find the perfect balance between consumers and businesses. As this law still being studied, all businesses are advised to strictly follow the CCPA compliance guidelines. However, they should always stay updated for the amendment processes to determine the next move of the legislature.
