CCPA Requirements for 2020 for Businesses
With CCPA being drafted hastily and moved rapidly toward January 1, 2020, there were a number of ambiguities around the CCPA requirements for 2020 for businesses. There have been numerous public forums about the law and commentary that revealed contradictory internal cross-referencing and confusing definitions. There had been many questions circling such as whether CCPA compliance requirements were aimed at businesses headquartered in California or if the revenue threshold was total revenue or proceeds just from sales in California, to name just a few of the points of confusion. Many other questions centered around the “personal information” definition which has been noted to be much broader than other well known regulations such as the GDPR. In order to provide clarification questions around the CCPA requirements for 2020, many of these questions have been addressed in a series of CCPA amendments.
California Governor Signs Five CCPA Amendments
On October 11, Governor Gavin Newsom signed all five of these bills. Following is a summary of the CCPA amendments that passed (gov.ca.gov/2019/10/11/governor-newsom-issues-legislative-update-10-11-19/).
A.B. 25—HR Data Exemption: Excludes employee or job applicant data from a consumer’s right to access, deletion, and opt-out (leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB25)
A.B. 874 — Clarification on “publicly available information” and “Personal information” definition: Clarifies that “publicly available information” that is lawfully made available from federal, state, or local records, and “deidentified or aggregate” information are not considered “personal information” (leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB874)
A.B. 1146 —Product warranty or recall or vehicle information exclusion: Excludes from the right to opt-out vehicle and ownership information for purposes of vehicle repair covered by a warranty or recall (leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1146)
A.B. 1355—Definition of “business” and other related definitions and clarifications: Businesses may offer different rates or services levels based on the value of the consumer data; grants certain exceptions for personal information provided as part of a transaction; disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer and promptly take steps to determine whether the request is a verifiable consumer request (leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1355).
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
A.B. 1564—Designated consumer request methods: Provides that businesses that operate exclusively online and has a direct relationship with the consumer need to provide only an email address for submitting consumer requests (leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1564).
This is further clarification and changes to A.B. 1355 which required that businesses make available to consumers two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the business maintains an internet website, a website address.
These five amendments don’t solve the questions forever as most of them are set only for the next 12 months. However, it is anticipated that there will be further distillation and clarification around the CCPA requirements as more businesses put it into action in 2020.
If you have questions about CCPA requirements, reach out to the 2B Advice privacy compliance experts today!
One of the distinctions between the (GDPR) and the California Consumer Privacy Act (CCPA) is the definition of a Data Protection OfficerHow to Avoid CCPA Fines & Penalties
Do businesses need to worry about CCPA fines and penalties? Should they act now to comply with CCPA or wait for a federal law?GDPR Fines & Penalties Enforcement Actions
Since GDPR rolled, there has been growing number of data breach notifications, a number of which are starting to result in significant GDPR fines.