California Amends CCPA and Attorney General Issues Proposed Regulations

In early October, there were two major developments in the world of the California Consumer Privacy Act.

First, on October 10, 2019,  the California Attorney General issued long-anticipated  Proposed Text of the California Consumer Privacy Act Regulations (“Proposed Regulations”) and the accompanying Initial Statement of Reasons.  The Proposed Regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law on a number of issues, including the details on giving notices to consumers, the content of privacy policies, handling of consumer requests to access and delete and to opt out of sale of personal information, verification of consumer identity, training and record-keeping requirements, and non-discrimination practices.  The Attorney General also considered but rejected creating a safe harbor exemption from the CCPA for businesses that are already complying with the GDPR given that the two regulations have different requirements, definitions, and scope.

The publication of the Proposed Regulations commences a public comment period that will continue through December 6, 2019.  The Attorney General will also hold public hearings in early December in Sacramento, Los Angeles, San Francisco, and Fresno that will provide public an opportunity to present statements or comments with respect to the Proposed Regulations.  Any interested party may submit written comments regarding the Proposed Regulations at the public hearings, by mail, or via email. The details on the submission process are available on the Attorney General’s website.  The final regulations are expected to be published by July 1, 2020.

Second, on October 11, 2019, the California Governor signed several amendments  to the CCPA  (AB 25, 874, 1130, 1146, 1202, 1355, 1564) thereby finalizing changes to the Act before it comes into effect on January 1, 2020.  The following is a summary of the most notable changes:

A One-year Delay on Employee and Contractor Data. The amended Act exempts, until January 1, 2021, from all provisions of the Act, except the private civil action provision and the obligation to inform the consumer as to the categories of personal information to be collected, information collected from a person by a business in the course of the person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.

Revised Definitions of Personal and Publicly Available Information. The amended Actredefines “personal information” under Section 1798.140(o)(1) to mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It defines “publicly available” information to mean information that is lawfully made available from federal, state, or local records. It further provides that “personal information” does not include de-identified or aggregate consumer information.

Consumer’s Right to Request Specific Information about Consumer.   The amended Act clarifies that a business must disclose to consumers that a consumer has the right to request the specific pieces of information, in addition to the categories of information, that the business has collected about that consumer as well as the fact that a consumer has the right to request that the business delete that information.

Toll Free Number Alternative.  The amended Act modifies the toll-free telephone number requirement under the CCPA. A business that operates exclusively online and has a direct consumer relationship will not need to provide a toll-free number under Section 1798.130(a)(1)(A). Instead, it is only required to provide an email address for consumers to submit right to access and delete requests, along with the law’s other requirements.

Exemption for Vehicle Information Pertaining to Warranty or Recall. The amended Actexcepts from the right to opt out of the sale of personal information vehicle or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.

Expanded Definition of Personal Information for Purposes of Data Breaches and Private Actions under the Act. For purposes of data breaches, including private right of action pursuant to Section 1798.150, the definition of personal information is amended to include specified unique biometric data (fingerprint, retina, or iris image, used to authenticate a specific individual, but not a physical or digital photograph, unless used or stored for facial recognition purposes)and tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document in addition to driver’s licenses and California identification cards.

Data Broker Registration. The amended Act requires data brokers to register with, and provide certain information to, the Attorney General. A data broker is defined as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions.

According to a recently published Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations Report prepared by the Berkeley Economic Advising and Research LLC for the California’s Attorney General Office, 75% of all California businesses will be required to comply with the CCPA and the total cost of initial compliance, which constitutes the vast majority of the compliance efforts, will be approximately $55 billion. Once the CCPA is implemented, the total compliance over the next decade is expected to be between $467 million to over $16 billion. Since the application of the CCPA is not limited to California businesses, the compliance costs for business across the country are expected to be much higher.

As businesses are faced with mounting compliance costs, selecting the right provider to facilitate CCPA compliance is crucial. Clarip’s enterprise privacy software is built to help your company navigate the CCPA.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653