On October 11, Governor Gavin Newsom of California signed amendments to the California Consumer Privacy Act (CCPA) into law. The CCPA, with the accepted amendments, will go into effect on January 1, 2020.
The CCPA is a sweeping piece of legislation designed to provide California residents with “increased control” over their data. It allows consumers to find out what personal information of theirs has been gathered, to request that businesses delete their data, and to opt out of having their information sold. It requires affected companies to comply with certain requirements, facilitate consumer data requests, update their privacy policies, and assure that their vendors comply as well.
For a more detailed look at the CCPA and what you need to know, check out our CCPA resources, including our CCPA FAQs for financial services firms our CCPA FAQs for all industries, or read the full text of the CCPA.
The accepted amendments to the CCPA that most affect financial institutions include the following assembly bills:
Employee Exemption (AB 25) – This bill exempts personal information that is collected from job applicants, employees, business owners, directors, officers, medical staff, or contractors, from the CCPA consumer rights (such as access, deletion, and opt-out). However, the exemption does not apply regarding the CCPA’s notice and data breach liability provisions. This means that employers would still have to provide a privacy notice, as described in the CCPA, when they collect employee personal information (PI). Employee-related data is also still included in the event of a data breach, and a private right of action is available. The employee exemption is a sunset provision which will expire January 1, 2021. However, as that date approaches the CA Legislature will look to provide further regulation on the handling of employee data.
Personal Information (AB 1355) – Among other things, adds a one-year exemption of data being considered “personal information” when that data was obtained by a firm via B2B communications or transactions (in the context of due diligence regarding a company, nonprofit, or government agency, or the provision or receipt of a product or service to or from a company, nonprofit, or government agency). Similar to the Employee Exemption (AB 25), this is a sunset provision lasting one year.
Several other amendments to the CCPA were also signed into law, e.g., AB 874 allows information that was lawfully made available in government records to be considered publicly available and not be considered (excludable) personal information, and other elements in AB 1355 that cleans up several draft errors of the original CCPA.
ACA Aponix Guidance
The CCPA is a expansive piece of legislation that calls for significant action on the part of affected companies. With the effective date of January 1, 2020 rapidly approaching, it behooves companies to finalize their compliance plans.
Additionally, it is advisable that companies recognize the upcoming sunset provision of January 2021 related to CCPA changes, particularly as affecting employee rights. It is not recommended to consider the more lenient interpretation of the amendment a “done deal.” Further, a new ballot initiative to combat the “watered down” version of the CCPA and strengthen California data privacy regulations may be in the works.
Beyond that, possibilities are on the horizon of other states enacting data privacy laws similar to the CCPA, or of a broader federal solution.
In all circumstances, it makes sense for companies to take aim toward data privacy compliance of a stricter nature that “covers the bases” for CCPA, its possible stricter future implementations, and other likely upcoming data privacy regulations.
ACA CCPA Resources
Our team of experienced consultants has developed a resource library of FAQs, blog posts, and webcasts to help your firm navigate the complexities of the CCPA as well as implement practical steps to achieve compliance with the regulation.
- On Demand Webcast: California Consumer Privacy Act: Preparing for January 1, 2020
How We Help
Our CCPA compliance assistance service helps companies assess their readiness to comply with CCPA requirements as well as implement best practices for achieving broader privacy risk and compliance objectives across the enterprise. Please contact us to learn how we can help your company.
For More Information
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.