On Friday, California Governor Gavin Newsom signed seven legislative proposals to amend the California Consumer Privacy Act (CCPA), marking the end of a nearly-yearlong process to make changes to the new privacy law before it goes into effect on January 1st. The next opportunity to amend the CCPA will be in the 2020 legislative session.
The Governor’s decision to sign the amendments followed the release by the California Attorney General of draft regulations last Thursday. The draft regulations are proposed rules that the California Attorney General seeks to use to direct businesses on how more specifically they can comply with the CCPA, whereas the amendments signed into law by the governor will replace or augment the statutory text of the CCPA.
Here’s the full list of the new laws that amend the CCPA:
- CLARIFYING AMENDMENTS & EXEMPTIONS: Assembly Bill 1355 exempts deidentified or aggregate consumer information from the personal information definition; creates a one-year exemption for certain B2B communications or transactions; and broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA).
- DATA BROKER REGISTRATION: Assembly Bill 1202 requires data brokers to register with the California Attorney General.
- EMPLOYEE EXEMPTION: Assembly Bill 25 changes the CCPA so that the law does not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year.
- CONSUMER REQUEST FOR DISCLOSURE METHODS: Assembly Bill 1564 requires businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number, but provides that, for a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, is only required to provide an email address for submitting CCPA requests.
- VEHICLE WARRANTIES & RECALLS: Assembly Bill 1146 exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.
- PUBLICLY AVAILABLE INFORMATION: Assembly Bill 874 streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The amendment also clarifies that the definition of “personal information” excludes deidentified or aggregate consumer information.
- Data Breach Notification: In the context of data breaches, Assembly Bill 1130 revises the personal information definition to add specified unique biometric data, tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document in addition to those for driver’s licenses and California identification cards to these provisions. The amendment also authorize inclusion in the data breach notification involving biometric data, instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on data for authentication purposes.