The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Tracking The Latest Amendments to the California Consumer Privacy Act

by Chris Brook on Monday September 16, 2019

Contact Us
Free Demo
Chat

As we inch towards 2020, the California Consumer Privacy Act's (CCPA) go-live date, California legislators continue to refine and amend the law.

Assuming they’re passed by the California Senate, the most recent round of amendments, approved by the California Assembly two weeks ago, will create exceptions for some businesses and new obligations for others.

The CCPA, for the uninitiated, is a piece of sweeping consumer privacy legislation passed last year posed to become the most expansive privacy law in the country. The law affects any business that buys, sells or handles the personal information of California residents.

As we’re still six months away from the January 1 go-live date, there will continue to be new developments around the law but it's worth recapping where the CCPA stands following the latest slew of changes.

Assembly Bill 25

Assembly Bill 25, one of two amendments passed by the California Assembly on May 29, would tweak the CCPA so it doesn't cover data collected by job applicants, employees, contractors, or agents. The bill was first introduced by Assemblyman Ed Chau on March 25, meaning it took about two months to make it law. Before the bill was passed, CCPA defined "consumers" as California residents; AB-25 redefines the term and exempts employees and job applicants of CCPA-covered businesses.

Specifically, according to AB-25, the amendment ensures "consumer" doesn't include a “natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”

Assuming businesses only collect and use individuals' data for use as a job applicant, employee, contractor, or agent, they won't have to worry about being penalized under the CCPA.

Status: AB-25 was referred to the Senate Rules Committee on May 30 following its passage in the Assembly.

Assembly Bill 1416

This amendment, passed on May 29, would ensure the CCPA doesn't restrict businesses' ability to comply with a civil, criminal, or regulatory inquiry. It also expands on the reasons that a business wouldn't comply with a consumers’ rights. For example, under the amendment the CCPA wouldn't restrict a business' ability to share personal information with the government as long as it would explicitly be used in carrying out a government program. Nor would it restrict a business’ ability to sell the data of a customer who’s opted out if it is solely used to detect security incidents and to protect against fraudulent or illegal activity.

Status: Like AB-25, AB-1416 was referred to the Senate Rules Committee on May 30 following its passage in the Assembly.

Assembly Bill 846

Assembly Bill 846, passed by the California Assembly on May 28, would exempt customer loyalty programs from the CCPA's anti-discrimination program. To recap, the CCPA has a provision that prohibits discrimination against individuals who exercise their right to privacy and opt out of the sale of personal information. AB 846 wouldn't apply if a businesses' treatment of a customer is in connection to their voluntary participation in a loyalty program that functions with the collection, use, or sale of that consumer's data.

There’s a large percentage of consumers in loyalty programs in across America; Section 1 of AB-846 points out that 80 percent of adults belong to one and that the membership around loyalty groups has increased by 15 percent between 2015 and 2017. The passage of the bill by the Senate would leave such programs intact and only permit businesses to offer preferential pricing in connection with voluntary participation in a loyalty, reward, or club card program.

Status: AB-846 was referred to the Senate Rules Committee after it passed the Assembly. The Rules Committee referred it to the Senate Judiciary Committee on June 6.

Assembly Bill 1202

This amendment, also passed by the California Assembly on May 28, would require data brokers to register with the state's Attorney General, pay a registration fee, and honor consumers to opt out of the sale of the personal data. In registering with the Attorney General and paying a fee, the data broker would also have to provide its primary physical, email, and internet address. Data brokers that fail to register could be subject to injunction and could be liable for civil penalties, fees, and costs involved with actions brought in the name of the people of the state by the AG. This amendment would also allow the AG to create a public registry of data brokers.

Status: Similar to AB-846, AB-1202 was referred to the Senate Judiciary Committee on June 6 after making it through the Assembly and the Senate Rules Committee.

These of course are only a few of many amendments still in flux around the CCPA in the California State Legislature. Other amendments, like A.B. 1035, which would impose a strict 45-day limit for companies to disclose data breaches and AB-1146, which would exempt vehicle information, like vehicle information numbers, makes, models, years, and odometer readings, from some provisions of the CCPA, are still up in the air.

The passage of these amendments, at least by the California Assembly, come following one of the CCPA's biggest stumbling blocks to date, an attempt to add a private right of action – an attempt that was blocked a few weeks back, signaling that it won’t pass in the Senate this session. The bill, which would have expanded the right of consumers to sue companies over the handling of their personal data, passed the Senate Judiciary Hearing but died when it reached the Senate Appropriates Committee.

Tags: Compliance, Privacy

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.