California Consumer Privacy Act

Three proposed amendments to the California Consumer Privacy Act were themselves amended on September 6. Here is a summary of the major changes, with links to the current version of each proposed amendment:

  • Until 1/1/2021 personal information collected about employees in their role as such is carved out. New addition: emergency contact information and benefits

To sell or to “disclose for a business purpose.” That is the CCPA question.

“When asked, most companies state honestly they do not ‘sell’ customer data, but the CCPA defines the term in a surprisingly broad way that sweeps in any arrangement involving an exchange of value (‘consideration’) between the business and a third party

Include de-identified personal information in your CCPA data mapping.

“De-identification as a process can be quite complicated to execute with precision to ensure the privacy risk is completely eradicated. The old complications present in this process expand under the CCPA, as the dimensions of what is protected has expanded. Most privacy programs will require modification

Passports and biometric data would be included in the types of personal information covered by California’s data breach notification law, under a bill that passed the state Senate and is headed to Gov. Gavin Newsom.

A.B. 1130 by Assemblyman Marc Levine (D) would also add taxpayer and military identification numbers, and other unique government identification

CCPA applies to Small-to-Medium-Sized Enterprises, and they face unique challenges.

SMEs surveyed by the IAPP – International Association of Privacy Professionals stated that even if they “do not meet the CCPA’s definition of a ‘business,” their clients and customers will require them to sign contracts attesting to CCPA compliance.

Many have already faced such demands.

“To effectively address the CCPA rules regarding disclosure of personal information, an organization must take the time to understand how and why personal information is moving out of the organization. This effort requires input from multiple stakeholders in the company to understand from a technical standpoint where personal information might be housed (e.g., identifying external

“Companies need to be vigilant as they set up their consumer response processes. This ‘verified consumer’ part is no small thing. It requires a robust commitment to accurately sourcing your verification data, skill in identifying dubious requests, and some healthy skepticism wouldn’t hurt. The emphasis now is to bend over backward to help consumers to

CISO members of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) published a white paper to help cybersecurity leaders in retail and hospitality prepare for compliance with the California Consumer Privacy Act (CCPA).

Key recommendations from the white paper:

  • Consider contract language that prevents third-parties from selling personal information sold to them unless