The long-awaited proposed CCPA regulations were released on Thursday, October 10th, in a Notice of Rulemaking issued by the California Attorney General Xavier Becerra. The following day, California Governor Gavin Newsom signed into law 5 bills amending the CCPA and a new data broker registration law related to the CCPA. This article provides an overview of the newly enacted amendments and the proposed regulations, and is the first in a twelve-part series covering recent updates to the CCPA.
While at least 18 bills to amend the CCPA were introduced in the California legislature this year, 6 made it all the way through to signature by the governor. The bills that explicitly amend the CCPA include AB-25, AB-874, AB-1146, AB-1355 and AB-1564. As a whole, the amendments do not add up to significant changes for most businesses that have been preparing for compliance with the CCPA, however, they do provide important clarifications on certain issues. Key changes include:
Employment-related data: 1-year carve out for employment-related data as long as the data is used solely for employment-related purposes. Businesses relying on this carve out must still provide a privacy notice at collection of personal information, and consumers retain their rights to institute a civil action and recover damages in connection with a security incident involving such data.
B2B transactions: 1-year carve out for business-to-business communications and transactions involving due diligence, or providing or receiving a product or service. Businesses relying on this carve out must still comply with the “Do Not Sell” obligations of the CCPA, and consumers retain their rights to institute a civil action and recover damages in connection with a security incident involving such data. Notably, this carve out does not affect marketing communications or other B2B communications that do not involve providing or receiving a product or service.
Simplification for online-only businesses: For businesses that operate solely online and have direct consumer relationships, a toll free telephone number is not required for submitting consumer requests, only an email address.
Other changes involve definitional clarifications and technical adjustments as well as industry-specific exemptions. In addition to the explicit amendments, AB-1202 added a separate title to the California Civil Code related to sales of data and specifically to require registration of data brokers similar to the data broker legislation enacted in Vermont in 2018. AB-1202 relies on terms defined in the CCPA with the exception of the term “data broker,” which it defines as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
Proposed CCPA Regulations
As noted above, the day before the CCPA amendments were signed into law, the proposed CCPA regulations (the “regulations”) were issued. Accordingly, the regulations do not take into considerations the new amendments. The regulations are set forth as 5 new articles covering sections in §§ 999.300 through 999.341 of Title 11, Division 1, Chapter 20, of the California Code of Regulations (CCR) concerning the CCPA. The articles cover topics organized around five key themes, which we will cover in detail over the next four days —
Business Practices for Handling Consumer Requests, including methods for submitting and responding to requests to know (e.g., access) and requests to delete, requirements for service providers, requests to opt-out, requests to opt-in, training, record keeping, and requests to access or delete household information;
Verification of Requests, including general rules, accounts, non-account holders, and authorized agents;
Minors, including minors under 13 years of age, minors 13 to 16 years of age, and notices to minors under 16 years of age; and
Non-Discrimination in connection with financial incentives and calculating the value of consumer data.
The Attorney General also announced four public hearings for comments and proposed regulations on the proposed regulations. The public hearings will take place in early December in four cities: Sacramento – the 2nd, Los Angeles – the 3rd, San Francisco – the 4th, and Fresno – the 5th, and the written comment period closes on December 6th. We expect a revised version of the regulations addressing the amendments to be released in advance of those hearings, however, it is possible that they amendments may be addressed together with public comments following closure of the comment period. Based on the last round of public comments, we believe it is unlikely that the regulations will be finalized prior to the beginning of January when CCPA goes into effect.
To learn more, register for the upcoming October 16th webinar “Update Your CCPA Plan with Practical Insights into the Proposed Regulations, 2019 Amendments to the Law, and More.”
This update was provided by the TrustArc Privacy Intelligence News and Insights Service, part of the TrustArc Platform.