As the California Consumer Privacy Act’s (CCPA) January 1, 2020 compliance deadline rapidly approaches, businesses need to assess what actions are necessary in light of recent developments. Below is a highlight of several amendments to the CCPA and existing data privacy laws.
- Employee data is exempted from a consumer’s right to access, deletion, and opt-out, under the CCPA until January 1, 2021. This includes personal information about employees, job applicants, owners, directors, staff, officers, and contractors that are utilized solely in the context of those roles. Businesses still need to provide employees with appropriate notices about their personal data.
- Personal information under the CCPA does not include “publicly available information” as well as de-identified or aggregate information, limiting the scope for key data on which businesses may rely.
- Biometric information and many government-issued identifiers are now added to the definition of personal information under the breach notification law.
- Consumers cannot opt-out of some vehicle-related information between a motor vehicle dealer and vehicle manufacturer for purpose of vehicle repair covered by a warranty or recall.
- “Data brokers” need to register with the California Attorney General. A “data broker” is a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
- The CCPA now has a more limited application to business-to-business (B2B) communications by exempting personal information bearing on some aspects of a consumer’s credit, character, reputation, characteristics and communication between the business and consumer for purposes of due diligence or providing or receiving a product or service.
In addition to these amendments, the California Attorney General recently released draft regulations to provide clarity and guidance regarding enforcement of the CCPA. The draft regulations set forth guidance regarding the notices businesses should provide to consumers under the CCPA including additional categories of data in businesses’ online privacy notices that were not previously specified in the CCPA. Other provisions in the Attorney General’s draft regulations addressed businesses’ practices for handling consumer requests, businesses’ practices for handling the personal information of minors, and businesses’ financial incentives offered to consumers.
These draft regulations are open for public comment, with public hearings going on this week from December 2-5, 2019. We will update you with further information as we receive them following these hearings.
Once the final regulations are adopted, they are intended to “implement, interpret and make specific” the provisions of the CCPA, pursuant to the Attorney General’s rulemaking authority under the CCPA.
As organizations prepare for CCPA compliance, businesses should consult with knowledgeable privacy counsel to evaluate whether and how these changes apply to your organization, and what appropriate steps are needed to comply with the CCPA.