There have been a flurry of updates in the last few days to the California Consumer Privacy Act (CCPA) of 2018, set to go into force on Jan. 1, 2020.
The CCPA legislation as initially introduced has been criticized by the business community for being hastily written and offering vague guidance on how to achieve compliance. Two recent major updates aim to clarify the law and offer specific guidance on how businesses can best comply. Those updates include the Attorney General’s proposed regulations and seven amendments to CCPA signed by the Governor.
California AG releases guidance on implementing CCPA
The proposed regulations will help companies understand what steps they need to take to meet CCPA compliance in the following five areas:
Notices to consumers
Business practices for handling consumer requests
Verification of requests
Special rules regarding minors
The proposed regulations are available for public comment through Dec. 6, 2019, before being finalized later this year.
California’s governor signs seven amendments to CCPA into law
On Oct. 11, 2019, California governor Gavin Newsom signed the following bills into law, amending the state’s privacy laws.
AB25 –VerifyingConsumer Requests and Employee Data Extension – This amendment allows a business to require consumers to submit verifiable consumer requests for access to their data through accounts that consumers maintain with the business. This amendment also grants companies an additional year before they must comply with data access requests regarding job applicant, employee, contractor, and similar employment data.
AB847 – Definition of Publicly Available Information – This amendment defines “publicly available” to mean information that is lawfully made available from federal, state, or local records.
AB1130 –Data Breach Notification and Biometric Data – This amendment revises the definition of personal information to add biometric data, tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government documents. This also requires that companies notify users if a security breach has compromised a user’s biometric data. The notification must include instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on data for authentication purposes.
AB1146 – Vehicle Warranties/Recalls – This amendment exempts a consumer’s right to opt out of vehicle warranty or recall communications.
AB1202 –Data Broker Registry – This amendment requires data brokers to register with the attorney general.
AB1355 –Clarifications and Exemptions – The bill excludes consumer information that is de-identified or aggregate consumer information from the definition of personal information, as well as exempts certain business communications from CCPA compliance until January 2021.
AB1564 –Methods for Consumer Requests – For businesses that operate exclusively online, this amendment drops the requirement to have a toll-free number available for consumer data access requests.
Complying with data privacy laws has been difficult for businesses, not only due to the number of laws in different geographical jurisdictions, but due to frequent changes to those laws prior to implementation. The amendments and new guidance on CPPA by the Attorney General offer welcomed clarification, but businesses have only a handful of weeks to comply prior to these laws going into effect on Jan. 1, 2020.
*Disclaimer: I am not a lawyer and am not offering legal advice. If you have legal questions, consult a licensed attorney.*
Merry Marwig is a market research analyst at G2 focused on the privacy and data security software markets. Using G2’s dynamic research based on unbiased user reviews, Merry helps companies best understand what privacy and security products and services are available to protect their core businesses, their data, their people, and ultimately their customers, brand, and reputation. Merry's coverage areas include: data privacy platforms, data subject access requests (DSAR), identity verification, identity and access management, multi-factor authentication, risk-based authentication, confidentiality software, data security, email security, and more.