For better or for worse, the California Consumer Privacy Act (CCPA) will finally go into effect on January 1, 2020, and the Internet is ablaze with advice on how to meet the regulatory requirements of what some are calling “the beginning of ‘America’s GDPR.’” Last-minute amendments and late-issued guidance from the California Attorney General make compliance a real challenge, however.
Is Seven the Lucky Number for CCPA Amendments?
California Governor Gavin Newsom signed seven amendments to the CCPA into law on October 11, 2019. Especially relevant in terms of breach notification is AB 1130. This amendment expands the definition of personal information under California’s breach notification law to include “unique biometric data,” such as a fingerprint or retina image used for authentication and “government-issued identification cards,” such as tax ID numbers, passport numbers, and military ID numbers.
As the experts at law firm BakerHostetler note, “While on the surface AB-1130 may represent yet another amendment to the California Data Breach Notification Law, a seemingly annual occurrence, the expansion of the definition of ‘personal information’ represents a significant increase in potential liability to businesses, especially considering the private right of action under the CCPA that goes into effect on Jan. 1, 2020.”
This liability is indeed significant—consumers could collect damages between $100 and $750 for each incident. So for a breach involving one million individuals, the cost to a business could be up to $750 million.
A few of the other amendments further define personal information under CCPA and applicable exemptions:
- AB 25 provides a one-year exemption for employee data, such as personal information collected from workers, job applicants, and contractors. Only the pre-collection notice requirement and the private right of action for data security incidents will apply on January 1, 2020.
- AB 874 excludes de-identified and aggregate consumer data from the definition of personal information. It also amends the definition of “publicly available information” to include legally available information from public records. This data is exempt from CCPA.
- AB 1146 adds an exemption for vehicle and ownership data for the purpose of vehicle repair relating to a warranty or recall.
- AB 1202 requires businesses that knowingly collect and sell consumer personal information, and lack a direct relationship with those consumers, to register with the California AG.
- AB 1355 provides similar exclusions as AB 874, while adding a one-year exemption for most types of B2B data collected as part of normal business transactions.
- AB 1564 modifies the methods that a business makes available to consumers to submit requests.
AG Issues Lengthy, Last-minute Guidance for CCPA
Article 1 defines additional terms important for interpreting the CCPA and how the AG will enforce the law’s provisions.
Article 2 requires businesses to give consumers notice of their privacy practices at or before the time their personal information is collected.
Article 3 centers on how businesses should receive and respond to consumer requests to invoke their rights to access, delete, or opt-out.
Article 4 mandates that businesses set up rules and methods to verify the identities of customers who make requests.
Article 5 provides special rules regarding minors. For minors under the age of 13, for example, the law requires an affirmative opt-in to a sale of personal information by the parent’s minor or guardian.
Article 6 clarifies what is meant regarding non-discrimination and financial incentive offerings.
For the most part, these provisions appear to have more critics than fans. “Lawyers and lobbyists who had raised hopes for practical or business-friendly guidance should be disappointed,” Lothar Determann of Baker McKenzie said in an IAPP article. “Where the proposed regulations add new substance, they seem to create additional ambiguities and burdens for businesses.”
The attorney general’s office is taking public comment on these proposed regulations through December 6. It will then issue the final regulations before the January 1 effective date. Keep in mind that while the CCPA compliance date starts on the first day of 2020, the enforcement date is six months later on July 1.
However, consumer lawsuits for CCPA violations could start months earlier.
The California Consumer Privacy Act (CCPA) is a first of its kind in U.S. state law. This sweeping regulation will require organizations to reexamine the ways data is collected, used, and protected. Read some of the common questions for CCPA breach notification compliance and learn how Radar provides a proactive approach to mitigate risk and remain compliant within California.