The California Consumer Privacy Act (CCPA) is almost baked.
On Friday, two days before the Oct. 13 deadline for his blessing, California Gov. Gavin Newsom signed seven bills into law that augment and bolster the CCPA.
The bills, which were sitting on his desk since the state legislature closed its 2019 session on Sept. 13, represent the last revisions that will be made to the statute before CCPA goes into effect on Jan. 1, 2020.
The CCPA-related action has been coming thick and fast recently. On Thursday, the California attorney general’s office published the long-awaited first draft of its implementation regs. The public comment period on the regs closes Dec. 6, after which the AG’s office will digest the information it receives and share revised regs. The AG is required to issue finalized guidelines by July 1, 2020.
Whereas the purpose of the AG’s implementation regs is to provide practical guidance on how businesses can comply, the bills that Newsom just signed tweak the actual text of the law.
Despite ardent industry lobbying, there were no massive changes made to the original text of the CCPA, and most of the amendments that passed the California state legislature and are now signed into law were largely uncontested.
AB 25 creates a one-year exemption for employee data, meaning that the law doesn’t apply to personal info collected from workers, job applicants or contractors. The legislature will revisit this issue next year.
AB 874 excludes de-identified or aggregated consumer information from the law, including publicly available information collected from public records.
AB 1146 creates a carve-out so that the right of deletion doesn’t apply to vehicle repair information, like warranties and recall-related info.
AB 1202 requires data brokers to register with the California AG’s office. Data brokers are defined as businesses that knowingly collect and sell the information of consumers with whom they don’t have a direct relationship. It’s unclear, but sounds like demand-side and supply-side platforms could fall under that definition.
AB 1355, like AB 874, aims to clarify the meaning of personal information by excluding de-identified and aggregated consumer data from the law. It also exempts most forms of B2B data, aka, the type of data collected by a business or government agency as part of normal business transactions.
Under CCPA, businesses need to provide at minimum two methods for consumers to submit information and deletion requests, which includes a toll-free phone number and email address at the very least. AB 1564 allows online-only businesses that have a direct relationship with their customers to provide just one method for submitting CCPA requests, which can be an email address.
AB 1130 expands the types of personal information covered by California’s breach notification statutes to include biometric information and government identifiers, such as passport numbers or tax ID numbers.
The private right of action under CCPA is now limited to data breaches, which means consumers can only sue for data breach-related violations of CCPA. For any other CCPA violation, it’s up to the AG to take action.
By expanding the categories of personal information protected by the breach notification statutes, consumers have a little more power to take action under CCPA – and the potential fines are hefty.
In the case of a data breach, consumers can collect statutory damages of between $100 and $750 for each event.