The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
Five amendments to the California Consumer Privacy Act were sent to governor of California’s desk on Friday as the most stringent law on consumer privacy continues to take form.
We're one step closer to knowing what the California Consumer Privacy Act, something that in many ways will be America's first privacy law, will look like.
The law took further shape last week on Friday, the last day for the California legislature to finalize amendments to the CCPA. While many marketing and sales-focused amendments were left in the dust, five amendments are moving forward.
With California's legislative session over, the amendments - the last expected tweaks to the CCPA - head to Governor Gavin Newsom's desk to be signed off on before the law goes into effect on January 1, 2020. The Governor has until has until October 13, 2019 to either sign or veto any bill.
The one amendment that didn’t move forward last week, A.B. 846, was shelved amid opposition from retailers weary that the bill would limit the sale of personal information. The amendment, as we've covered here before, would have exempted customer loyalty programs from CCPA's anti-discrimination provisions. Adjustments to the bill over the last several months would have prohibited the sale of personal information obtained through such programs. Technically A.B. 846 was was moved to "inactive" meaning it's possible it resurfaces in the California legislature next year; it just won't on the table when CCPA goes into effect.
The remaining bills that are headed to the governor's desk include:
Assembly Bill 25
This bill, passed by the California Assembly on May 29, would make it so the CCPA doesn't cover the collection of personal information via job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year. Recent changes to the amendment makes it so employers are exempt for one year, until January 1, 2021.
Assembly Bill 874
A.B. 874, introduced back in February, would make it so "publicly available" information includes that obtained via federal, state, or local government records
Assembly Bill 1355
A clarifying amendment, AB-1355, exempts any exclude deidentified or aggregate consumer information from being defined as "personal information." A recent tweak to the amendment creates a one-year exemption for personal information obtained from B2B communications or transactions as long as the “information is collected in the context of the business conducting due diligence regarding a company, nonprofit, or government agency, or (b) the information is collected in the provision or receipt of a product or service to or from a company, nonprofit, or government agency. “
It also expands the scope of information obtained in compliance with the Fair Credit Reporting Act (FCRA) is exempt as long as its regulated by the FCRA.
Assembly Bill 1146
This amendment exempts data that's gathered or retained for warranty or recall matters as long as it’s from a recall conducted in accordance with federal law.
Assembly Bill 1564
AB-1564, is fairly straight forward in the sense that it requires organizations to have two ways - via a toll-free phone number (and especially for online businesses) an e-mail address - for consumers to submit requests for their personal data.
While the CCPA is broader than the EU's General Data Protection Regulation, it's still a sweeping piece of legislation. The CCPA, for the uninitiated, will require companies to disclose what personal data they've collected on consumers in California and empower consumers to ask companies to delete that data or disallow them from sharing it with third parties.
While further clarification around the amendments will likely be needed, there will likely few changes to the CCPA between now and January 1.
The fact that so few amendments were shelved means the law is on the fast track to going into effect. Many privacy advocates feared big tech would dilute the CCPA through amendments designed to narrow its scope. It appears as it currently stands that the law will move forward as is, with the date of enforcement set at six months after the publication of enforcement regulations or July 1, 2020.