The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Final Round of CCPA Amendments Outlined, Sent for Approval

by Chris Brook on Monday September 16, 2019

Contact Us
Free Demo
Chat

Five amendments to the California Consumer Privacy Act were sent to governor of California’s desk on Friday as the most stringent law on consumer privacy continues to take form.

We're one step closer to knowing what the California Consumer Privacy Act, something that in many ways will be America's first privacy law, will look like.

The law took further shape last week on Friday, the last day for the California legislature to finalize amendments to the CCPA. While many marketing and sales-focused amendments were left in the dust, five amendments are moving forward.

With California's legislative session over, the amendments - the last expected tweaks to the CCPA - head to Governor Gavin Newsom's desk to be signed off on before the law goes into effect on January 1, 2020. The Governor has until has until October 13, 2019 to either sign or veto any bill.

The one amendment that didn’t move forward last week, A.B. 846, was shelved amid opposition from retailers weary that the bill would limit the sale of personal information. The amendment, as we've covered here before, would have exempted customer loyalty programs from CCPA's anti-discrimination provisions. Adjustments to the bill over the last several months would have prohibited the sale of personal information obtained through such programs. Technically A.B. 846 was was moved to "inactive" meaning it's possible it resurfaces in the California legislature next year; it just won't on the table when CCPA goes into effect.

The remaining bills that are headed to the governor's desk include:

Assembly Bill 25

This bill, passed by the California Assembly on May 29, would make it so the CCPA doesn't cover the collection of personal information via job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year. Recent changes to the amendment makes it so employers are exempt for one year, until January 1, 2021.

Assembly Bill 874

A.B. 874, introduced back in February, would make it so "publicly available" information includes that obtained via federal, state, or local government records

Assembly Bill 1355

A clarifying amendment, AB-1355, exempts any exclude deidentified or aggregate consumer information from being defined as "personal information." A recent tweak to the amendment creates a one-year exemption for personal information obtained from B2B communications or transactions as long as the “information is collected in the context of the business conducting due diligence regarding a company, nonprofit, or government agency, or (b) the information is collected in the provision or receipt of a product or service to or from a company, nonprofit, or government agency. “

It also expands the scope of information obtained in compliance with the Fair Credit Reporting Act (FCRA) is exempt as long as its regulated by the FCRA.

Assembly Bill 1146

This amendment exempts data that's gathered or retained for warranty or recall matters as long as it’s from a recall conducted in accordance with federal law.

Assembly Bill 1564

AB-1564, is fairly straight forward in the sense that it requires organizations to have two ways - via a toll-free phone number (and especially for online businesses) an e-mail address - for consumers to submit requests for their personal data.

While the CCPA is broader than the EU's General Data Protection Regulation, it's still a sweeping piece of legislation. The CCPA, for the uninitiated, will require companies to disclose what personal data they've collected on consumers in California and empower consumers to ask companies to delete that data or disallow them from sharing it with third parties.

While further clarification around the amendments will likely be needed, there will likely few changes to the CCPA between now and January 1.

The fact that so few amendments were shelved means the law is on the fast track to going into effect. Many privacy advocates feared big tech would dilute the CCPA through amendments designed to narrow its scope. It appears as it currently stands that the law will move forward as is, with the date of enforcement set at six months after the publication of enforcement regulations or July 1, 2020.

Tags: Data Privacy, Government

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.