Friday, September 13, 2019, marked the last day for legislative activity in the state of California, and with the effective date of the California Consumer Privacy Act (CCPA or the Act) looming on January 1, 2020, many businesses were waiting hopefully for some clarity and relief. The California legislature did act, passing five bills amending the Act, but the outcome represents minimal real relief for businesses affected by this sweeping law. Key questions lingered: Would employee data be excluded? Would relief from potential limitations on customer loyalty programs pass? How would measures sought by business to provide certainty and some relief fare? Overall, with the exception of provisions related to employee data, which provide some comfort, it appears that the breadth and complexity of the CCPA remains largely unchanged.
Significant impacts of the amendments that were passed
- Employee data. The amendments clarify that at least for 2020, this consumer privacy law will apply to personal information of employees, job applicants, and contractors and personal information collected through certain business-to-business (B2B) interactions, but only in certain respects.
- Data breaches and encryption. The amendments clarify how encryption and redaction may play into the private right of action for data breaches.
- Verified requests clarifications. The amendments add flexibility to the processes that businesses may use for receiving and verifying consumer access and deletion requests.
- Fair Credit Reporting Act exception amendment. The amendments exclude from CCPA applicability certain processing of consumer report data that is already governed by the federal Fair Credit Reporting Act (FCRA).
- Deidentification and aggregate data refinements. The amendments confirm that properly deidentified or aggregate data is not personal information under the Act.