California Gov. Gavin Newsom has signed revisions to the California Consumer Privacy Act, which becomes effective on Jan. 1, 2020. The amendments add a bit more clarity and provide a partial but mostly temporary reprieve for those who must comply with it.
“The seven amendments signed by Governor Gavin Newsom alleviate some short-term issues for business,” explains Cillian Kieran, the CEO of data privacy company Ethyca.
Exempt certain consumer information and give a one-year reprieve for B2B communications: Assembly Bill (AB) 1355 “exempts de-identified or aggregate consumer information from the definition of personal information and provides a one-year exemption for B2B communication,” Kieran explains. The CCPA’s applicability to business-to-business transactions and communications will not kick in until Jan. 1, 2021.
Exempt employees for one year: AB 25 carves out employee information and that of prospective hires from the law’s requirements for a year as well. This temporary reprieve reduces “the pressure to consolidate and manage obligations like data subject requests” for employee and job applicant data, Kieran explains.
Clarify exclusion for publicly available information: The CCPA applies to personal information except for that which is publicly available. AB 874 provides that publicly available information is that made available from federal, state, or local records.
Specify methods that must be provided for consumers to request disclosure: AB 1564 states businesses generally must provide two or more ways for consumers to submit requests for information about their data to companies. At the very least, most businesses must provide a toll-free telephone number and a Website address as a way for consumers to do this. AB 1564 does allow businesses that operate online exclusively and that have a direct relationship with a consumer to just provide an e-mail address for submitting requests for information. If the business does have a Website, though, that Website must provide a means for consumers to submit information requests.
Include biometric data: AB 1130 expands the definition of “personal information” to include biometric data, such as fingerprints and retina scans. The definition of “personal information” now includes passport numbers and other unique identification numbers issued on a government document as well. Notifications concerning breaches of biometric data may include instructions on how to inform other companies that use the same type of biometric data as an authenticator not to use that data for authentication.
Require data broker registration: AB 1202 requires data brokers to register with the California attorney general.
Exclude vehicle warranties and recalls from deletion requests: AB 1146 provides that the CCPA’s right of deletion does not apply to information necessary for vehicle warranty repairs or recalls.
“While these amendments in some ways reduce the short-term effort required to meet data privacy obligations, they represent a relatively minor reprieve and still require businesses to plan for substantially different data operations and processing to meet regulatory requirements,” Kieran says.
In a separate development, the California attorney general proposed rules implementing the CCPA on Oct. 11. Although the regulations have not yet been finalized, the CCPA still becomes effective at the start of the New Year.
Ultimately, as laws like the CCPA and the European Union’s General Data Protection Regulation become more common, “companies should start with a strategy to reduce or eliminate the need to store personal information,” suggests Paul Martini, the CEO of cloud cyber-security company iboss.
Lori Tripoli is a writer based in the greater New York City area who focuses on legal and regulatory issues.