CCPA Amendments to Be Finalized in October 2019

The California Consumer Privacy Act (CCPA) is scheduled to go into effect on January 1, 2020. There are seven amendments that will be contemplated by the CA legislature between now and September 13, 2019. At that point, all discussions and modifications will end, and the Governor will have 30 days (until October 13, 2019) to either sign the amendments into law or veto bills that have passed legislature.

CCPA Overview

The CCPA is a sweeping piece of legislation designed to provide California residents with “increased control” over their data. It allows consumers to find out what personal information of theirs has been gathered, to request that businesses delete their data, and to opt out of having their information sold. It requires affected companies to comply with certain requirements, facilitate consumer data requests, update their privacy policies, and assure that their vendors comply as well.

For a more detailed look at the CCPA and what you need to know, check out our CCPA resources, including our CCPA FAQs for financial services firms our CCPA FAQs for all industries, or read the full text of the CCPA.

Download FAQs for Financial Services     Download FAQs for All Industries

Amendment Highlights

Various groups have suggested changes to the original version of the CCPA. Some of the major amendment proposals that may impact financial institutions include the following assembly bills:

• Employee Exemption (AB 25) – This bill would exempt personal information (PI) that is collected from job applicants, employees, business owners, directors, officers, medical staff, or contractors, from the CCPA consumer rights (such as access, deletion, and opt-out). However, the Senate Committee negated the exemption with regard to the CCPA’s notice and data breach liability provisions. This means that employers would still have to provide a privacy notice, as described in the CCPA, when they collect employee PI. Employee data is also still included in the event of a data breach, and a private right of action is available. The employee exemption is a sunset provision which will expire January 1, 2021. However, as this date approaches the CA Legislature will look to provide further regulation on the handling of employee data.
   
• Loyalty Program (AB 846) – This bill would allow the use of personal information in loyalty programs (e.g., club cards, rewards programs) with consumers’ consent and voluntary participation. But it would forbid companies from selling PI from loyalty programs to other companies, i.e., no cross-marketing between businesses. That would have a considerable impact on many companies who rely on cross marketing in their business model.
   
• Consumer Requests for Disclosure Methods (AB 1564) – This bill would allow businesses that exclusively operate online and have a direct relationship with their consumers to provide just one method for consumers to contact them (email). This is less burdensome than what is originally required of entities under the CCPA, which includes access to a toll-free number and an additional method.

Some other items are also up for consideration. These amendments cover a wide range of items, including requiring data brokers to register with the attorney general (AB 1202), requiring parents/guardians of children under 13 to consent to accounts with social media sites, requiring business that use facial recognition to conspicuously disclose its usage at all relevant locations (AB 1281), allowing businesses to treat consumers who have exercised privacy rights differently if reasonably related to value provided by the business, (AB 1355), and more.

Rejected Proposals

Several notable amendments were rejected and will not modify the CCPA:

• Definition of Personal Information (AB 873) – This bill sought to include data not “reasonably linkable” to a consumer in “de-identification” information, and to remove “household” from the definition of personal information.

• Insurance Exemptions (AB 981) – This bill sought to take away from consumers the right to remove or delete personal data from insurance transactions.
   
• Exceptions for businesses (AB 1416) – This bill sought to allow some exceptions for businesses to provide personal information to a government agency, as well as to allow the sale of information from “opt-out” choosers to detect security incidents fraud and other activities.

ACA Guidance

The CCPA is a sweeping piece of legislation whose shape is still being finalized. ACA Aponix recommends following the news regarding any potential changes, and being knowledgeable about the final form it will take in mid-October. ACA Aponix will likewise provide updates as they become available.

In the meantime, Aponix recommends that companies continue to prepare for the core provisions of the CCPA which will remain intact. If an amendment applies directly to your organization, we recommend allowing for flexibility in preparation (e.g., have staff and plans available to account for any direction the final decision will take).

Register for our Complimentary Webcast

With fewer than six months to go until the CCPA compliance deadline, do you know if your company is in compliance? Join us for a complimentary webcast on October 1, 2019 to learn what you need to know to ensure compliance with the CCPA by the January 1, 2020 deadline.

Register Now

ACA CCPA Resources

Our team of experienced consultants ​has developed a resource library of FAQs, blog posts, and webcasts to help your firm navigate the complexities of the CCPA as well as implement practical steps to achieve compliance with the regulation.

• FAQs for Financial Services Firms - Download (Updated to reflect proposed amendments)
• FAQs for All Industries - Download (Updated to reflect proposed amendments)
• Blog: Why Financial Services Firms Must Prepare for the CCPA
• Webcast: CCPA: Are You on the Path to Compliance?
• Webcast: CCPA and Increasing Demands on the Privacy Office

How We Help

Our CCPA compliance assistance service helps companies assess their readiness to comply with CCPA requirements as well as implement best practices for achieving broader privacy risk and compliance objectives across the enterprise. Please contact us to learn how we can help your company.

Contact Us

For More Information

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.