Three proposed amendments to the California Consumer Privacy Act were themselves amended on September 6. Here is a summary of the major changes, with links to the current version of each proposed amendment:
To sell or to “disclose for a business purpose.” That is the CCPA question.
“When asked, most companies state honestly they do not ‘sell’ customer data, but the CCPA defines the term in a surprisingly broad way that sweeps in any arrangement involving an exchange of value (‘consideration’) between the business and a third party
Include de-identified personal information in your CCPA data mapping.
“De-identification as a process can be quite complicated to execute with precision to ensure the privacy risk is completely eradicated. The old complications present in this process expand under the CCPA, as the dimensions of what is protected has expanded. Most privacy programs will require modification
Passports and biometric data would be included in the types of personal information covered by California’s data breach notification law, under a bill that passed the state Senate and is headed to Gov. Gavin Newsom.
A.B. 1130 by Assemblyman Marc Levine (D) would also add taxpayer and military identification numbers, and other unique government identification
CCPA applies to Small-to-Medium-Sized Enterprises, and they face unique challenges.
SMEs surveyed by the IAPP – International Association of Privacy Professionals stated that even if they “do not meet the CCPA’s definition of a ‘business,” their clients and customers will require them to sign contracts attesting to CCPA compliance.
Many have already faced such demands.
“To effectively address the CCPA rules regarding disclosure of personal information, an organization must take the time to understand how and why personal information is moving out of the organization. This effort requires input from multiple stakeholders in the company to understand from a technical standpoint where personal information might be housed (e.g., identifying external
With AB25, the pending amendment that attempts to carve out information of California employees from the scope of the California Consumer Privacy Act (CCPA), are employers of California-based employees completely off the hook?
In short – no! Fox Rothschild’s Nancy Yaffe takes a deeper dive in this post to our California Employment Law blog.
Information that is de-identified is no longer personal information under the California Consumer Privacy Act.
But what does “de-identified” really mean and does existing guidance under the European Union’s General Data Protection Regulation (GDPR) offer any insight? Take a deeper dive in this article:
“Companies need to be vigilant as they set up their consumer response processes. This ‘verified consumer’ part is no small thing. It requires a robust commitment to accurately sourcing your verification data, skill in identifying dubious requests, and some healthy skepticism wouldn’t hurt. The emphasis now is to bend over backward to help consumers to
CISO members of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) published a white paper to help cybersecurity leaders in retail and hospitality prepare for compliance with the California Consumer Privacy Act (CCPA).
Key recommendations from the white paper: