It’s not yet Halloween, but in California they are already getting ready for New Year’s Day. On January 1., the dreaded California Consumer Privacy Act (CCPA) takes effect. The state legislature has issued several clarifications and sent them to Governor Gavin Newsom for approval.
Based on an analysis by law firm and legal consultancy Manatt, here’s what you can expect If Newsom signs the changes to the GDPR-style bill. This is expected to happen by Oct. 13.
Perhaps the most newsworthy amendment is that AB 1202, requiring data brokers — firms that sell data on consumers with whom they have no direct connection — will be required to register with the state Attorney General’s Office. This does not apply to credit reporting agencies and financial institutions.
Then there are a couple of changes that might be seen as positive (from a marketing standpoint).
AB 1355 clarifies the CCPA’s “nondiscrimination” clause. It states that “differing prices or services can be provided based upon the value of the provided data to the business, not the consumer,” Manatt writes. This will make it easier for businesses to tie their loyalty incentives to the value of provided data, it adds.
In addition, AB 1355 exempts B2B contact information and other data collected in the context of a transaction or communication. However, it does not free firms from the “do not sell,” data breach and private-right-of-action provisions.
The exemption expires on Jan. 1, 2021.
AB 1355 also states that CCPA does not require the collection of personal data that would not normally be collected. This will help firms that want to minimize the data they collect for validation.
The other clarifications include:
AB 1564 exempts businesses that operate only online from providing a toll-free phone number for rights requests.
AB 25 exempts employment-related data from the provisions for one year. However, firms must disclose the categories and purposes of personal information they collect. This amendment sunsets on Jan. 1, 2021.
AB 874 narrows the definition of personal information, saying is must reasonably be capable of being tied to a specific household or consumer.
AB 1130 addsunique biometric data, tax identification numbers, passport numbers, military identification numbers, and other unique identification to the list of data types that can trigger CCPA’s data breach provision.
AB 1146 clarifies that the CCPA’s right of deletion and right to opt out of the sale of personal information do not apply if the business needs this information to fulfill a warranty or product recall in line with federal vehicle safety law.
Manatt notes that while “certain fixes are helpful (for example, the nondiscrimination provision), others provide only modest assistance to businesses racing to comply with the law.”
You’ve been warned. One more thing: The CCPA may be only the first of several state bills — and it may not even be the worst. Happy New Year.