TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | A brief FAQ on the latest CCPA amendment updates Related reading: Seizing children's privacy momentum in Australia



Although scheduled to end Friday, Sept. 13, the California State Legislature was not able to conclude its business for the term until early Saturday morning. A protestor dropped blood onto the Senate floor Friday afternoon, necessitating an evacuation and cleanup that delayed the session’s conclusion. 

However, the disruption did not prevent the Legislature’s final approval of several California Consumer Privacy Act amendments that will now go to Gov. Gavin Newsom, D-Calif., for his signature. The substantive and technical amendments passed this year answer some of the questions that have been pending since the last round of amendments at the conclusion of the 2018 legislative session

To help assess these latest updates, here's a brief FAQ: 

Q: Do businesses have to worry about their employees and contractors for purposes of CCPA compliance?

A: Yes, but there have been some scope limitations. Until Jan. 1, 2021, personal information collected from employees, job applicants, owners, directors, officers, medical staff and contractors of a business, including emergency contact information and beneficiary information, is largely exempt from CCPA.  However, businesses must still provide CCPA-compliant privacy notices to these individuals, and statutory relief remains available in the event of a data breach.

Q: What about business-to-business communications or transactions?

A: As with the employee exemption, there has also been a delay of certain CCPA-compliance requirements for direct B2B communications and transactions until Jan. 1, 2021. Non-discrimination and opt-out rights are not covered by this exemption, and statutory relief is still available in the event of a data breach.

Q: Are there any new clarifications or exemptions to the definition of “personal information”?

A: There are a few. “Personal information” now includes information that is “reasonably capable of being associated with” a particular consumer or household, instead of simply “capable of being [so] associated.” Deidentified and aggregate consumer information are wholly excluded. Information that is lawfully made available from federal, state or local government records is also exempt.

Q: Do businesses need to provide a toll-free telephone number in order to intake consumer information requests?

A: Yes, unless a business operates exclusively online and has a direct relationship with consumers from whom it collects personal information. In that case, an email address can be used instead of a toll-free number. The CCPA still requires businesses to offer two separate consumer request submission mechanisms, and businesses that maintain a website must provide a means for consumers to submit requests on the website.

Q: Is there any clarification on what businesses can or need to do in order to verify a consumer’s identity when responding to an individual rights request?

A: A little. While businesses still cannot require consumers to create an account in order to submit a valid consumer request, businesses “may require authentication of the consumer that is reasonable in light of the nature of the personal information requested,” and if the requesting consumer maintains an account with the business, the business can require that the request be submitted through that account.

Q: What else has changed?

A: Consumers do not have the right to opt out of the sharing of their vehicle or ownership information between dealers and manufacturers. The Fair Credit Reporting Act exemption has been broadened to include any FCRA-regulated activity.

Q: What’s next?

A: The governor has until Oct. 13 to sign the amendments into law. The CCPA goes into effect Jan. 1, 2020, at which point consumers can exercise their individual rights under the CCPA and pursue private causes of action in response to a data breach. California Attorney General Xavier Becerra is slated to issue implementing regulations to help businesses comply with the law, and he can commence his own CCPA enforcement actions six months after the promulgation of the regulations or July 1, 2020, whichever is sooner.

Photo by Wil Stewart on Unsplash

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.