CCPA amendments are one step closer to becoming law. Friday, September 13 was the deadline for the California legislature to pass the proposed CCPA amendments before the Legislature adjourns. The bills that passed both houses on Friday will be submitted to California Governor Gavin Newsom, who will have until October 13 to sign the bills into law. The bills that didn’t make the vote can still become part of the CCPA eventually, but the law will likely not be amended ahead of its January 1, 2020 effective date.
More information can be found in our CCPA Amendment tracker.
Highlights on the Bills Awaiting Governor Newsom’s Signature:
AB-25 – Exemption of employee from definition of consumer (One of the most eagerly awaited amendments)
- Excludes until January 1, 2021 personal information about job applicants, employees, contractors from the scope of the CCPA. The emergency contact information of the job applicants, employees, contractors are also excluded from CCPA scope. BUT there are two important exceptions: Businesses must still provide privacy notice and the direct right of action (in case of untreated breach) is still available to them
AB-1355 – Clean-up & addressing differential treatment and disclosures
- Fixes cross-referencing errors
- Under the non-discrimination provision, allows differential treatment of a consumer who has exercised CCPA rights if the differential treatment is reasonably related to value provided to the business by the consumer’s information
AB-874 – Carve outs from the ‘personal information’
- Redefines “publicly available information”
- Clarifies that personal information does not include de-identitied or aggregated consumer information
AB-1146 – Exemption for vehicle information
- Exempts vehicle information shared between a new auto dealer and a vehicle manufacturer when information is shared or retained pursuant to, or in anticipation of, a vehicle repair relating to warranty work or recall.
AB-1564 – Consumer requests
- Requires businesses to make available a toll-free number or a physical address and email address for submitting requests
- A business that exclusively operates online is only required to provide an email address for CCPA requests (and not a toll free number)
- Amends rules on consumer identity verification in response to their request. Allows business to require authentication of the consumer “that is reasonable in light of the nature of the personal information requested”. Consumer should not be required to create an account for verification, but if the consumer already has an existing account, the business can require the consumer to submit his CCPA request through it
Highlights on the Bills That Didn’t Make It:
AB-981 – Insurance Transactions
- The bill clarifies obligations for insurance organizations under the CCPA and California Insurance code. The bill would also eliminate a consumer’s right to request a business to delete or not sell the consumer’s personal information under the CCPA if it is necessary to complete an insurance transaction requested by a consumer.
AB-873 – Definition of Personal Information
- Amends definition of personal information as reasonably capable of being associated with consumer/household
- Revises definition of de-identification to include data that does not identify and is not “reasonably linkable” to a consumer
AB-846 – Ordered to inactive file at the request of Senator Jackson (12/09/19).
- Assemblywoman Autumn Burke, D-Marina Del Rey, said she plans to reintroduce the bill next year.
- Focus of the Bill: To include an exception to the CCPA ban on discriminating consumers – specifically for loyalty, rewards, premium features, discounts, or club card programs. In practice, this will allow businesses to tie different prices or quality of their products/services to consumers participating in the business loyalty program.
AB-1395 – Hearing Cancelled at the Request of the Author (07/09/19).
- Focus of the Bill: Smart speakers and Connected devices-focused bill– Bill would broaden the prohibition of providing a voice recognition-based operations without prominently informing the user of the connected device during the initial setup. This bill would include smart speaker devices – prohibiting a voice recognition feature operation without prominently informing the user.
AB-1416 – Hearing Canceled at the Request of Author (07/09/19).
- Focus of the Bill: Compliance with other rules – This bill would specify that the CCPA also does not restrict a business’s ability to comply with any rules or regulations adopted pursuant to and in furtherance of state or federal laws. Should allow e.g. for business to provide consumer’s PI to a government agency for carrying out a government program.
Other California Bills Related to Privacy
AB-1138 failed (motion to reconsider made by Assembly Member Gallagher) – Social media: Parent’s Accountability and Child Protection Act
- Requires parental/guardian consent for children under 13 to create an account with a social media website or app
AB-1202 passed and ready to be presented to the Governor – Data broker requirements
- Defines a “data broker” and requires data brokers to register with and provide certain information to the Attorney General, and failure to register may lead to liability (civil penalties, fees and costs)
As you and your team are preparing for the CCPA, check out OneTrust for CCPA, a purpose-built suite of technology solutions and professional services, helping organizations of all sizes with their CCPA compliance efforts. With OneTrust, your company can locate precisely where personal data lives and how it is used and streamline your ability to process and respond to consumer rights, opt-outs, and Do Not Sell requests.
- Learn more about OneTrust for CCPA
- Download the whitepaper: How OneTrust Helps: California Consumer Privacy Act (CCPA)
- Get the free OneTrust CCPA Initial Planning Assessment
- Download the free OneTrust CCPA Mobile App from the App Store and Google Play
Check out our CCPA blog series:
- CA Attorney General Holds Public Forums on the CCPA: What You Need to Know
- The Importance of the CCPA Look Back Requirement and What it Means for Your Organization
- 5 Simple Steps to CCPA Readiness
- CCPA: New Amendment Bills One Step Closer to Becoming Law
- How OneTrust Helps: CCPA Consumer Rights Management
- How OneTrust Helps: CCPA “Do Not Sell” Requirements
- Less Than One Month to Finalize CCPA Amendments
- The Dos and Don’ts of CCPA Consumer Right Requests