Lots of action for the California Consumer Privacy Act (CCPA) in the last few days! After much anticipation, on October 10th, 2019, California Attorney General Xavier Becerra (“the AG”) announced the Proposed Regulations for the CCPA.  The next day, California Governor Gavin Newsom signed into law six amendments to the CCPA. Below is a summary of key aspects of the AG’s Proposed Regulations and the Governor signed amendments.

AG Becerra’s Proposed Regulations

The CCPA requires the AG to adopt regulations to operationalize the CCPA and provide clarity and specificity to assist in the implementation of the law by July 1, 2020 (Civ. Code, § 1798.185, subd. (a)). The AG’s Proposed Regulations in particular provide compliance guidance for covered businesses, and procedures for facilitating consumer rights.

The AG’s Proposed Regulations are extensive and provide clarity on key issues including:

  • Notice to consumers – the Proposed Regulations promote greater transparency to the public regarding how businesses collect, use, and share personal information and on what businesses must do to comply with the CCPA.
  • Timing and recordkeeping – the Proposed Regulations encourage businesses to provide complete and timely responses to consumer requests.
  • Methods for submitting requests to know and requests to delete – the Proposed Regulations set forth rules and procedures businesses must follow regarding how consumers are to submit these requests.
  • Service providers – the Proposed Regulations harmonize different sections of the CCPA that have caused confusion regarding how the CCPA applies to service providers, addressing concerns raised during the AG’s preliminary public hearings.
  • Discriminatory practices – the Proposed Regulations emphasize that a business may offer a different price or service if it is “reasonably related to the value of the consumer’s data”.
  • Minors – the Proposed Regulations instruct businesses on the implementation process for a parent or guardian to opt-in to the sale of their information.

The AG will hold four public hearings (in Sacramento, Los Angeles, San Francisco and Fresno) to provide all interested parties the opportunity to present statements or comments regarding the Proposed Regulations. This comes in addition to the seven public hearings the AG held prior to preparation of the Proposed Regulations. More information regarding the upcoming public hearings is available here. Interested parties may also submit written comments to the Office of the AG through December 8, 2019.

CCPA Amendments Signed into Law by Governor Newsom

After nearly a year-long legislative process, on October 11th Governor Newsom signed six CCPA amendments into law. Here is a complete list of the recently signed amendments to the CCPA:

  • AB 25 (Employee Personal Information Exemption): Excludes employee personal information from many of the CCPA’s requirements for a one-year period – during which the Legislature would consider more comprehensive employee privacy legislation.
  • AB 874 – (Publicly Available Information Exemption): Removes a limitation on the “publicly available information” exception to the definition of personal information.
  • AB 1355 – (Technical Corrections): Several noteworthy technical corrections and other changes including exemption of deidentified or aggregated consumer information, one-year exemption for B2B communications or transactions and a broadened exemption for businesses subject to the FCRA.
  • AB 1146 (Vehicle Information Exemption): Exempts particular types of vehicle information including warranty and recall information from certain CCPA requirements.
  • AB 1564 – (Consumer Requests for Disclosure Methods): Provides alternatives to the requirement that covered businesses make available to consumers a toll-free number to submit requests for information regarding the use of their personal information.
  • AB 1202 – (Data Broker Registration): Requires data brokers to register with the AG.

A more detailed summary of these CCPA amendments on the blog, is available here.

Conclusion

That’s all for now, but there are still more updates to come! As was the case with the CCPA amendments, the AG’s Proposed Regulations will likely undergo some modifications during the rulemaking process, before adoption in their final form by the July 1, 2020 deadline. We will continue to report on updates to the Proposed Regulations and other CCPA developments as they unfold.  And in case you missed it, we recently released our CCPA FAQs to assist covered businesses with their compliance efforts.

Tags: Attorney General Xavier Becerra, Californai Consumer Protection Act, California, CCPA, CCPA amendments, CCPA FAQs, CCPA update, consumer privacy, Governor Newsom, NCSAM, Proposed Regulations
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, Data and Cybersecurity practice group. Jason is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and co-leader of the firm’s Privacy, Data and Cybersecurity practice group. Jason is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Workplace Privacy, Data Management & Security Report blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Jason represents companies with respect to inquiries from the HHS/OCR, state attorneys general, and other agencies alleging wrongful disclosure of personal/protected information. He negotiates vendor agreements and other data privacy and security agreements, including business associate agreements. His work in the area of privacy and data security includes counseling and coaching clients through the process of investigating and responding to breaches of the personally identifiable information (PII) or protected health information (PHI) they maintain about consumers, customers, employees, patients, and others, while also assisting clients in implementing policies, practices, and procedures to prevent future data incidents.

Jason represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination, and wage and hour claims in both federal and state courts. He regularly appears before administrative agencies, including the Equal Employment Opportunity Commission (EEOC), the Office for Civil Rights (OCR), the New Jersey Division of Civil Rights, and the New Jersey Department of Labor. Jason’s practice also focuses on advising/counseling employers regarding daily workplace issues.

Jason’s litigation experience, coupled with his privacy practice, provides him with a unique view of many workplace issues and the impact privacy, data security, and social media may play in actual or threatened lawsuits.

Jason regularly provides training to both executives and employees and regularly speaks on current privacy, data security, monitoring, recording, BYOD/COPE, biometrics (BIPA), social media, TCPA, and information management issues. His views on these topics have been discussed in multiple publications, including the Washington Post, Chicago Tribune, San Francisco Chronicle (SFGATE), National Law Review, Bloomberg BNA, Inc.com, @Law Magazine, Risk and Insurance Magazine, LXBN TV, Business Insurance Magazine, and HR.BLR.com.

Jason is the co-leader of Jackson Lewis’ Hispanic Attorney resource group, a group committed to increasing the firm’s visibility among Hispanic-American and other minority attorneys, as well as mentoring the firm’s attorneys to assist in their training and development. He also previously served on the National Leadership Committee of the Hispanic National Bar Association (HNBA) and regularly volunteers his time for pro bono matters.

Prior to joining Jackson Lewis, Jason served as a judicial law clerk for the Honorable Richard J. Donohue on the Superior Court of New Jersey, Bergen County.

Read more about Jason C. Gavejian
Show more Show less
Related Posts
hacker hand stealing data from laptop top down
Towfiqu barbhuiya, Unsplash
 Insights From The IBM 2023 Cost of a Data Breach Report
September 5, 2023
Beds at a hospital in Sinjar.
Levi Meir Clancy, Unsplash
 Hospital Mergers Double the Risk of a Data Breach, Study Shows
August 15, 2023
Gaming Keyboard
Xeriss, Unsplash
 Cyber Safety Review Board Issues Compelling Report about Lapsus$, MFA Vulnerabilities, and Helpful Recommendations
August 14, 2023