CCPA Amendments Signed; Draft Regulations ReleasedOfficials Attempt to Clarify Complex California Law's Requirements
Gov. Gavin Newsom has signed into law six amendments to the California Consumer Privacy Act as well as another bill updating the state's long-standing data breach law to require notification of breaches that expose biometric and passport data.
CCPA will provide sweeping privacy protections for California's residents. It includes, for example, a provision that will allow consumers to know what data companies are collecting on them. Another section gives consumers the right to have their personal information deleted from company databases (see: CCPA: The Start of a New Era of Consumer Privacy Laws?).
The draft regulations seek to offer guidelines on a number of issues, including how consumers are to be notified when a company is seeking to collect personal information and how companies must handle consumer requests for an accounting of information that they may have collected.
The California Attorney General's Office plans to hold a series of public hearings about the draft regulations through Dec. 6. It then plans to publish the final set of rules for CCPA in the spring of 2020.
Under CCPA, the attorney general must adopt final implementing regulations no later than July 1, 2020. The attorney general’s office cannot take CCPA enforcement action until six months after publication of the final regulations or July 1, 2020, whichever comes first.
The Six Amendments
Here’s a breakdown of the six amendments signed by the governor:
- AB-1202 requires data brokers to register with the state;s attorney general's office.
- AB-1564 directs businesses to offer consumers two methods for contacting them, including a toll-free number, when requesting information the companies may have collected. If a company only does business online, it only has to provide an email address.
- AB-25 changed CCPA so it does not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff and contractors for the first year.
- AB-1355 exempts aggregate data from the personal information definition in CCPA. It also creates some additional exemptions for other types of data, such as some business-to-business information.
- AB-1146 exempts from CCPA vehicle information collected as part of a warranty or recall program.
- AB-874 clarifies that "publicly available" information under CCPA is defined as information that is lawfully made available from federal, state or local government records.
Data Breach Notification
In addition to the six amendments to CCPA, Newsom signed AB-1130, which expands the list of personal data under the state's data breach notification law. Under the amendment, organizations must notify consumers if passport data, biometric data, taxpayer and military identification numbers, and other unique government identification numbers are compromised as part of a breach.
California Assemblyman Marc Levine, who sponsored the bill to update the notification law, notes that when Marriott announced the data breach of its Starwood reservation database in November 2018, the company didn't have to notify some victims who lived in the state because passport numbers were not included in the original law. This amendment closes that loophole, Levine says.
Although Marriott was not required to notify California residents who had their passport numbers compromised, the company did notify victims anyway.
The draft implementation regulations unveiled by the attorney general change some aspects of CCPA, according to the International Association of Privacy Professionals, which published a lengthy analysis about some of the updates to the law.
For instance, CCPA requires an initial notice to a consumer that discloses which categories of personal information are being collected and how it is being used, according to the IAPP. This requirement changes slightly under the draft regulations, the analysis found.
CCPA will affect three types of businesses based in California:
- Companies that have gross revenue of at least $25 million;
- Companies that buy, sell and share the personal information of 50,000 or more consumers, households or devices;
- Companies that derive 50 percent of more of their annual revenue from selling consumers’ personal information.
A recent report from the IAPP found that as of this summer, only 2 percent of affected businesses were fully compliant with the law.
And a recently released study of the potential costs of CCPA estimated that businesses may spend $55 billion on initial compliance costs (see: Initial CCPA Compliance Costs Could Hit $55 Billion: Study).