The Governor of California signed 6 amendments into law for the CCPA on Friday, October 11th, prior to the full draft legislative changes scheduled for the public hearing on December 6th in which the Attorney General will consider written comments.
The Attorney General also addressed some of the questions that companies have been grappling with, including: how to manage household data, who is and is not a service provider, how to validate using only the information provided by the consumer, and how to provide answers to subject access requests involving sensitive personal information without exposing the company to potential liability.
These regulation updates will have a profound impact on how companies must review their data governance. Technological assessments and procedural measures must be taken to ensure compliance is achieved by the CCPA effective date on January 1st.
Emphasizes that companies may offer a different product or service if it is “reasonably related to the value of the consumer’s data”.
Submitting requests to see and delete data
Rules and procedures as to how consumers are to make requests. If a consumer submits through a non-designated method, the company must treat it as designated, or provide instructions to request method.
This would provide companies with the implementation process for a parent or guardian to opt-in to the sale of their information.
Notices to consumers
Promotes greater transparency of how companies capture, use and share personal data and what companies need to do in order to comply with the CCPA online and offline.
- Clearly outlines the ADA/WCAG accessibility requirements.
- Description of each category of information, sources and purposes.
- Offline notices. Ensure companies have prominent signage alerting consumers of their right to their data.
- Renaming of “Do not sell my personal information” to “Do not sell my info” – as a link
Aligns various parts of the CCPA that caused confusion as to how the CCPA relates to service providers, addressing concerns posed during the initial public hearings of the AG. Service providers can not disclose information it collects from companies or consumers to another person or entity.
Timing, record-keeping, and verification
Encourages companies to respond to customer demands in a complete and timely manner. Companies must confirm receipt of request within 7 days and maintain records for 2 years. Companies are not allowed to retain the information used for verification and the company can require re-authentication upon a delete request.
Must show number of requests received, number of deletes received, number of opt-outs (do not sell), average days to complete (for the last 24 months)
Additional proposed clarifications:
- "Do not sell" requires 15 day window to verify the request. The company must notify 3rd parties for whom they sold data in the past 90 days.
- If a company need not comply with CCPA data request requirements they must respond to the consumer with why and what rights they have to appeal.
- For the 45-day extension, a company must make that request within 10 days of data request.
- A company may provide a consumer the ability to re-opt-in to the sell of data. If so, must be a double opt-in.
Governor Newsom signed 6 amendments into law, they are outlined below:
Amendment corrections (AB 1355)
Many important technical corrections, including: exclusion from identified or aggregated consumer information, one-year exemption for B2B communications or transactions, and an expanded exemption for FCRA-compliant companies.
Data brokers are required to register with the attorney general (AB 1202)
"By contrast, consumers are generally not aware that data brokers possess their personal information, how to exercise their right to opt out, and whether they can have their information deleted." Consumers will gain the ability to understand data broker data use and prevent the misuse of that data with an opt-out option.
Data breach notifications (AB 1130)
Further clarifications around data categories that are included such as tax identification numbers, passport numbers, and biometric data. Also includes "instructions on how to notify other entities that used the same biometric data as an authenticator to no longer rely on data for authentication purposes."
Employee exemption (AB 25)
Excludes employee personal information for a one-year period from many of the CCPA's requirements – during which the legislature would consider more comprehensive legislation on employee privacy.
Consumer request for disclosure methods (AB 1564)
Provides alternatives to the requirement that companies under CCPA must have a toll-free number available to consumers to send requests for information about the use of their personal information.
Vehicle information exemption (AB 1146)
Exemption from information shared or disclosed for warranty purposes.
Publicly available information (AB 874)
"This bill would redefine “personal information” to mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The bill would also define “publicly available” to mean information that is lawfully made available from federal, state, or local records."