The California legislative Assembly and Senate both approved several amendments to the California Consumer Privacy Act (CCPA) set to take effect on January 1, 2020, and become enforceable on July 1, 2020.
First, the CCPA was amended to exclude from its application a business's handling of information about its employees, managers, directors, job applicants and freelancers. It also exempts information about these categories of individuals in a business-to-business relationship. These individuals will not be entitled to most of the rights otherwise afforded by the CCPA to data subjects. However, they are entitled to receive notice from the business describing the types of information collected about them and the purpose of collection. These individuals will still be entitled to the CCPA's private right of action in case of a data breach resulting from the business's failure to maintain reasonable security measures. The CCPA's carve-out for these workforce individuals will expire on January 1, 2021, when the CCPA becomes fully applicable to them.
Another amendment exempts businesses who operate exclusively online and have direct relationship with the data subjects, from the CCPA's requirement to offer a toll-free number for individuals to contact the business and request to exercise the data right. These businesses can make do with an email address for inquiries, but if they operate a website, they must also offer individuals a website-based mechanism for such requests.
The CCPA's definition of personal information covered by it was amended to clarify that it only covers information that can reasonably be traced to an individual, and does not cover de-identified or aggregated information.
These and other CCPA amendments approved by the California legislature on September 13 are pending signature into law by the Governor of California by mid-October. Separately, the California attorney general is reportedly planned to issue for public comment its proposed CCPA implementing regulations in October.
This article was published in the Internet, Cyber and Copyright Group's September 2019 Newsletter.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.