Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

How We Spent Our Summer Vacation or Summary of CCPA Amendments

Share

The long anticipated amendments to the CCPA were passed by the California Legislature in early September and now await Governor Newsom’s signature.  Some of the changes were “clean up” amendments to update cross references, standardize language, and generally address issues of drafting.  What follows is a summary of the most significant and substantive amendments:

  • The CCPA will exempt the collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors, for one year, provided that the information is collected and used “solely within the person’s role” or former role as a job applicant, etc.  Businesses must still provide a notice to these individuals when personal information is collected.  (1798.145(h))
  • The CCPA includes a new one year exemption related to personal information collected in the business-to-business context. Specifically this exemption provides:

The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, providing, or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.  (1798.145(n))

Note that this data is still subject to the “do-not-sell” requirements in Section 1798.120 and the private right of action for data breaches in Section 1798.150.

  • Upon receipt of a consumer request regarding sale of data to third parties, a business must disclose only the category of third parties with whom the information is shared rather than identifying each third party. (1798.115(a))  While the CCPA does not contain a definition of “categories” of third parties, this change eliminates the obligation to identify specific third parties.
  • The definition of personal information has been modified to include a reasonableness standard with respect to the prong of the definition that states that information that is capable of being associated with a particular consumer or household is personal information. That is, “Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household”.  (1798.140(o)(1))
  • The amendments clarify the carve-out from the definition of “personal information” for “publicly available” information by deleting the difficult-to-apply standard that required interpretation of the “purpose” for which records were released by the government. (1798.140(o)(2))
  • The Fair Credit Reporting Act (FCRA) exemption has been expanded to cover FCRA data rather than just data furnished to consumer reporting agencies for an FCRA purpose. (1798.145(d))
  • A new exemption was created for vehicle information or ownership information if such information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive of Title 49 of the United States Code, provided that the vehicle dealer or manufacturer with whom the information is shared does not sell, share, or use that information for any other purpose.  (1798.145(g))
  • The consumer’s right not to be subject to discrimination removes the difficult-to-apply requirement that incentives be related to the value of consumer data to the consumer and replaces it with the value to the business (1798.125). There are parallel and conforming changes made elsewhere in this amended section.
  • The section addressing the mechanisms for consumers to exercise their rights has been clarified in two ways. First, a business that operates exclusively online and has a direct relationship with a consumer is required to provide only an email address for the consumer to submit requests.  Second, businesses that maintain an internet website must make the website available to consumers to submit their requests.  (1798.130(a)).  For businesses with a brick and mortar facility, a toll free number will continue to be required.  In addition, this section also provides that a business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested and that if the consumer maintains an account, the business may require the consumer to submit the request through that account.
  • The consumer access provision makes clear that a consumer has the right to request the specific pieces of personal information a business has collected about the consumer. (1798.110(c).)  This change clarifies a consumer’s right to request specific pieces of information and a business’s requirement to disclose such information upon request.
  • The private right of action has been narrowed by clarifying that information that is either encrypted or redacted is outside the scope of the right to sue for data breaches. (1798.150(a))

In addition to waiting for the California Governor’s signature on these amendments, the business community eagerly awaits Attorney General proposed regulations addressing what qualifies as a “verifiable consumer request” and requirements for do-not-sell mechanisms.  It will be a busy fall.

Drinker Biddle hosted a webinar on CCPA:

Amendments to the CCPA.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Peter Blenkinsop

Peter Blenkinsop advises clients on regulatory compliance, focusing on two distinct but overlapping areas: (i) information privacy and data protection, and (ii) medical research. View Peter's full bio on the Faegre Drinker website.

About the Author: Reed Abrahamson

As a member of the firm’s Privacy and Cybersecurity Team, Reed Abrahamson assists clients with identifying and addressing data privacy and security risks in business operations. A Certified Information Privacy Professional - United States (CIPP-US), he helps companies design and implement privacy and data security policies and programs, and advises clients on compliance issues related to the GDPR, CCPA, HIPAA, CAN-SPAM Act, TCPA, and other privacy laws. View Reed's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

September 18, 2019
Written by: Peter Blenkinsop and Reed Abrahamson
Category: CCPA, Financial Services, Health Care, Insurance, Pharma/Life Sciences, Privacy, Retail

Post navigation

Previous Previous post: Failure to Respect Patient’s Right to Access Health Care Information Leads to HIPAA Settlement
Next Next post: The FCC’s “Restoration of Internet Freedom Order” Largely Survives on Appeal; But Net Neutrality is Not Dead Yet

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT