It should come as no surprise to anyone that the California State Legislature has passed, and the California Governor has signed, amendments to the California Consumer Privacy Act (CCPA). Having previously been a ballot initiative, one of the main drivers to get the CCPA passed as traditional legislation was to allow the law to go through the standard legislative process as opposed to the previous ballot initiative which would have made the law difficult and arduous to amend.
First, the legislature gave the California AG some additional time to develop the implementing law as well as pushed back the enforcement date by up to six months which will be no later than July 1, 2020, for now. While the enforcement date could be set before July 1, 2020, we will have to wait and see when the regulation is implemented by the AG. Companies should be preparing to be compliant by January 1, 2020 and be standing by for enforcement by July 1, 2020.
Further, the amendments add some language around the fine amounts and that they can be up to $7,500 per intentional violation. Along these lines, the legislature also removed the requirement to notify the state AG within 30 days of filing an action against a company which used to give the AG the power to approve or dismiss the action right out of the gate.
The amendments also provide more clear exemptions to the CCPA surrounding the previously nebulous exemptions regarding personal data and the GLB, HIPAA, and DDPA which should help companies that are impacted by those regulations scope out some of the personal data within their environment. Keep in mind, however, that these exemptions should be reviewed carefully and applied after thorough analysis.
Last but certainly not least, the amendments updated the notice requirements around the right to be deleted to provide businesses some freedom regarding where the disclosure is made stating it should be made in a reasonable place for the consumer and provided clarification around preemption of the law and the US constitution.
As mentioned in the beginning of this overview, it is no surprise that amendments were made to this regulation and we’ll continue to monitor for future amendments that are likely to occur. To make the appropriate notice disclosures and honor the right to access, deletion and sale of personal data opt-out, companies must be intimately aware of the personal data processed within their environment and how the personal data is sold and shared for business purposes. This is not a task that can be accomplished overnight, and companies must begin working to determine if and how this regulation applies to them and begin planning how they will comply.
Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College.