The clock is ticking towards the January 1, 2020 deadline when the much-anticipated California Consumer Protection Act (CCPA) will take effect. CCPA is the most sweeping legislation to date in the U.S. that concerns the protection of personal information. It broadens the definition of what constitutes personal information and gives California citizens greater control over what companies can do with their personal data. This includes the right to exempt their own personal information from being shared or purchased on the open market.
Six-Month Grace Periods for CCPA
While CCPA will become the law of the land in less than two months, it is not enforceable for six months after its publishing date. This gives businesses further opportunity to address their policies and processes in order to ensure compliancy. Though the rules for enforcement won’t be published or action taken place until July 1, 2020, California Attorneys General (AGs) will have the ability to retroactively enforce violations that occur during this 6-month period. Note that the January 1 deadline does not include recent revisions to CCPA.
October Updates to CCPA
Governor Newson of California signed a series of amendments to CCPA on October 11, 2019. It is this subset of regulations that will take effect in July. These updates include the following:
- Assembly Bill 25 modifies CCPA so that it no longer covers the collection of personal information concerning job applicants, employees, medical staff, business owners, directors, officers and contractors for a period of one year.
- Assembly Bill 1146 states that vehicle information collected under a warranty or automotive recall program is now exempt from CCPA.
- Assembly Bill 1202 requires data brokers to register with the California Attorney General’s office.
- Assembly Bill 1564 will require businesses to provide two methods for consumers to contact them that must include a toll-free number. An exception has been allotted for businesses that purely operate online however. These online companies will only be required to supply an email for consumers to submit CCPA requests.
- Assembly Bill 874 updates CCPA in order to clarify the definition of what “publicly available” means in regard to information that is lawfully made available from federal, state and local government records.
- Assembly Bill 1355 exempts deidentified or aggregate consumer information from the earlier personal information definition. It also creates a one-year exemption for designated B2B (business to business) communications or transactions.
- Assembly Bill 1130 authorizes the inclusion of unique biometric data that include fingerprints, retina and iris images and other unique body characteristics used for identification. The Bill goes on to require that reporting entities that experience a breach involving biometric data must provide instructions as to how to notify other entities that may use the same biometric data as an authenticator.
CCPA Part 2?
While CCPA has not become law as of yet, another piece of legislation is being discussed in California to serve as a sequel to CCPA. Called the California Privacy Rights and Enforcement Act of 2020 (CPREA), the new initiative would prevent changes to CCPA that might undermine its consumer protections. The intention here is to prevent companies from lobbying new legislation that may weaken the privacy legislation over time. Businesses would be required to list the retention periods for various types of personal information. CPREA would also create a new state government agency with the power to audit a firm and its security efforts. One concern is that because fines would exclusively fund the agency, it will incentivize them to do so.
Other States Joining the Effort
CCPA will obviously have a big impact on businesses residing in the neighboring state of Nevada. In addition, Nevada will implement its own privacy regulations concerning online businesses and websites in the coming months. Like California, Nevada citizens will be allowed to opt-out of data collection practices for online sites. The law will also levy fines of up to $5,000 to any internet site that does not follow strict data handling requirements. The state legislature of Maine also recently passed its own privacy act concerning online customer information. The set of regulations will impose restrictions on internet service providers and goes into effect on July 1, 2020. In addition, the states of Illinois, Washington, Hawaii, Massachusetts, Minnesota, Pennsylvania, New Jersey, New York and Rhode Island are currently deliberating their own privacy regulations as well.
To help you prepare for these upcoming deadlines, here are a few references: