The original version of this blog, excluding NICE references, was initially published in Lydia de la Torre's Medium Blog. The version below has been extensively edited. The original version can be accessible here.**
The California Consumer Privacy Act was enacted last year and will go into effect January 2020. There are several amendments currently under consideration summarized below. The deadline for 2019 is September 13 for approval and October 13 for the Governor to sign or veto the bills. Bills that do not pass in 2019 may be brought up again during the 2020 legislative session for consideration.
Status summary
The big news for 2019 is that CCPA barely changed. The surprise of the night was mandatory registration for data brokers (defined as anybody who sells under CCPA without having a 'direct relationship' with the consumer) in California.
There was an unusual large number of privacy bill proposals in 2019 (up to 150 privacy proposals in general at some point, around 20 related to CCPA) but most failed and the ones that passed did not significantly modify CCPA.
The changes include:
- Mandatory registration for data brokers (defined as anybody who sells under CCPA without having a 'direct relationship' with the consumer) in California.
- Efforts to fully exclude employee/contractor data mainly failed but it is likely that we will see the issue debated again in 2020.
- The exemption would apply to personal information from job applicants, employees, contractors, and agents. The final exclusion will likely contain a sun-set provision (Jan, 2021), not exempt business from the obligation to provide a privacy notice, plus it will likely enable private right of action on data breaches affecting the employee/contractor carved-out data.
- Modest changes to the definition of personal information (adding "reasonable", expanding the definition of public information and excluding de-identified and aggregated data from the definition). Other efforts to narrow the definition of personal information (PI) and to broaden the definition of "de-identified" failed (for now).
- Small clarifications on reasonable authentication, permissible discrimination, and a few other areas.
- Clarifying that business' may require authentication of consumers exercising their CCPA rights that is "reasonable in light of the nature of the personal information requested" and authorizes a business to require a consumer to submit a verifiable consumer request through the account that the consumer maintains with the business (if the consumer maintains an account).
Don't wait till the dust settles
Friday, Sept. 6 was the final day for any amendments to the CCPA to be introduced, per California Assembly rules. Lawmakers have since voted on those amendments, and we now know what the final version of the CCPA looks like. It is therefore important that organizations not wait until the dust settles to take initial steps towards CCPA compliance. As the fifth-largest economy in the world, California is a marketplace that organizations can't ignore.
At NICE, we have made privacy a cornerstone of our compliance solutions, offering a unique end to end solution to assure you answer the requests for data access and deletion as well as authentication. By leveraging the capabilities of the
Compliance Center and
Real-Time Authentication, customers can make sure they are ready for the CCPA enforcement, as well as other privacy regulation to come. To learn more about our solutions, please
schedule a demo.