Changes to the California Consumer Privacy Act (CCPA) have been finalized – Goes into effect January 1
As of September 13th, the California Legislature has finished passing amendments to the California Consumer Privacy Act (CCPA) meaning no more changes to the law will be made before it goes into effect this January.
Originally passed in September 2018, the CPPA is widely considered to be the most comprehensive privacy law in the U.S. to date. Taking their cue for the E.U.’s GDPR, the CPPA gives California consumers the right to know what data companies collect on them and even opt of the collection and sale of their personal information. However, as we wrote about in July, a number of amendments were introduced that privacy experts fear could greatly reduce the impact of the new law.
In the months since then, some of those amendments successfully passed while others were reworked or scraped altogether. The legislature passed a number of amendments, most of the highly contested changes were put together in bill 1355 Personal Information.
Here is an overview of some of the changes that made it through:
While the CCPA prohibits any discrimination against consumers who opt-out of the sale of personal information, the new amendment makes an exemption if “differential treatment is reasonably related to value provided to the business by the consumer’s data.”
This is potentially a big deal. While some of this language will likely be challenged and clarified after the Act goes into effect, it opens the door for business to offer different services and/or prices if a user exercises their right to opt-out of the sale of their personal information.
Definition of Personal Information
The amendment also makes a very small change to the definition of personal information, but one that could have large implications. In defining what counts as personal information, the bill simply adds the word “reasonably” to the phrase “capable of being associated with” a particular consumer or household. This small change creates some wiggle room for business when it comes to arguing what information is protected under the CCPA.
This also reinforces the clarification in the amendment that de-identified and aggregate consumer information does not fall within the scope of the CCPA. And with efforts already underway to weaken the definition of de-identified information, this could potentially further limit what personal information is protected.
Employee Information is Exempt
The other big change to the CCPA concerns employee information. The new amendments now excludes employees from the right to know, opt-out, or delete any personal information their employer collects and sells. However, this exemption sunsets in 2021 and will therefore have to be re-introduced after that. This will likely be the site of a large battle between unions and privacy advocates on one side and industry groups on the other.
While these changes certainly reduce the scope and impact of the CCPA, the central tenants of the law remained largely intact. Overall, consumers will still be able to exercise their rights to know what personal information businesses are collecting, to opt-out of the sale of this information to third parties, and to even request that a business delete their information. It’s therefore important that all impacted business continue to work to be in compliance by the beginning of next year.