CCPA , Governance & Risk Management , Privacy

CCPA Amendments Signed; Draft Regulations Released

Officials Attempt to Clarify Complex California Law's Requirements
CCPA Amendments Signed; Draft Regulations Released
California Gov. Gavin Newsom (Photo: Charlie Kaijo via Flickr/CC)

Gov. Gavin Newsom has signed into law six amendments to the California Consumer Privacy Act as well as another bill updating the state's long-standing data breach law to require notification of breaches that expose biometric and passport data.

See Also: OnDemand Webinar | Post-GDPR and CCPA: What Must Security Leaders Know about Privacy?

In addition, California Attorney General Xavier Becerra has released the first set of draft regulations to carry out CCPA, which is slated to go into effect on Jan. 1, 2020.

CCPA will provide sweeping privacy protections for California's residents. It includes, for example, a provision that will allow consumers to know what data companies are collecting on them. Another section gives consumers the right to have their personal information deleted from company databases (see: CCPA: The Start of a New Era of Consumer Privacy Laws?).

The draft regulations seek to offer guidelines on a number of issues, including how consumers are to be notified when a company is seeking to collect personal information and how companies must handle consumer requests for an accounting of information that they may have collected.

The California Attorney General's Office plans to hold a series of public hearings about the draft regulations through Dec. 6. It then plans to publish the final set of rules for CCPA in the spring of 2020.

Under CCPA, the attorney general must adopt final implementing regulations no later than July 1, 2020. The attorney general’s office cannot take CCPA enforcement action until six months after publication of the final regulations or July 1, 2020, whichever comes first.

The Six Amendments

Here’s a breakdown of the six amendments signed by the governor:

  • AB-1202 requires data brokers to register with the state;s attorney general's office.
  • AB-1564 directs businesses to offer consumers two methods for contacting them, including a toll-free number, when requesting information the companies may have collected. If a company only does business online, it only has to provide an email address.
  • AB-25 changed CCPA so it does not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff and contractors for the first year.
  • AB-1355 exempts aggregate data from the personal information definition in CCPA. It also creates some additional exemptions for other types of data, such as some business-to-business information.
  • AB-1146 exempts from CCPA vehicle information collected as part of a warranty or recall program.
  • AB-874 clarifies that "publicly available" information under CCPA is defined as information that is lawfully made available from federal, state or local government records.

Data Breach Notification

In addition to the six amendments to CCPA, Newsom signed AB-1130, which expands the list of personal data under the state's data breach notification law. Under the amendment, organizations must notify consumers if passport data, biometric data, taxpayer and military identification numbers, and other unique government identification numbers are compromised as part of a breach.

California Assemblyman Marc Levine, who sponsored the bill to update the notification law, notes that when Marriott announced the data breach of its Starwood reservation database in November 2018, the company didn't have to notify some victims who lived in the state because passport numbers were not included in the original law. This amendment closes that loophole, Levine says.

Although Marriott was not required to notify California residents who had their passport numbers compromised, the company did notify victims anyway.

Draft Regulations

The draft implementation regulations unveiled by the attorney general change some aspects of CCPA, according to the International Association of Privacy Professionals, which published a lengthy analysis about some of the updates to the law.

For instance, CCPA requires an initial notice to a consumer that discloses which categories of personal information are being collected and how it is being used, according to the IAPP. This requirement changes slightly under the draft regulations, the analysis found.

The draft regulations, IAPP explains, “would require a list of the categories of personal information be provided and, for each category, the business or commercial purposes (as well as a link to the business's 'Do Not Sell My Info' page and privacy policy). Further, the draft rules would require that - prior to using any category of personal information for an additional business or commercial purpose - a business provide notice and obtain explicit consent from consumers."

Who's Covered?

CCPA will affect three types of businesses based in California:

  • Companies that have gross revenue of at least $25 million;
  • Companies that buy, sell and share the personal information of 50,000 or more consumers, households or devices;
  • Companies that derive 50 percent of more of their annual revenue from selling consumers’ personal information.

A recent report from the IAPP found that as of this summer, only 2 percent of affected businesses were fully compliant with the law.

And a recently released study of the potential costs of CCPA estimated that businesses may spend $55 billion on initial compliance costs (see: Initial CCPA Compliance Costs Could Hit $55 Billion: Study).


About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.