No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

CCPA Update: Changes, Clarifications, But no Major Overhaul Heading to Governor’s Desk

A Legal Analysis of the Amendments to the California Consumer Protection Act

by Michael Morgan and Wendy Zhang
October 23, 2019
in Data Privacy, Featured
CCPA in white text with red padlock on blue binary background

California has just adopted some significant amendments to the California Consumer Protection Act (CCPA). McDermott Will and Emery’s Michael Morgan and Wendy Zhang analyze the six amendments that just passed (and one that didn’t).

Pushback from business interests – many of them based in Silicon Valley – has prompted California to make changes to its groundbreaking privacy-protection legislation, which takes effect at the start of the new year.

An analysis of the amendments to the California Privacy Protection Act (CCPA) finds that, while they are noteworthy, they leave most of the core aspects of the law intact. Even so, given the short time remaining before January 1, 2020, businesses that are subject to the law should understand how they will be affected and should take proactive and appropriate action to comply.

The CCPA, which was passed by the state legislature at the end of June 2018, seeks to give consumers control over the way large corporations collect, use and distribute their personal data.

As a result of input from concerned businesses and consumer groups, the California legislature passed six bills amending the CCPA on the final day of the 2019 session. Governor Gavin Newsom is expected to sign those bills into law by the October 13 deadline.

Analyzing the Amendments

The first amendment exempts some information about a business’s workforce. With the amendment, the CCPA will not apply to personal information a company collects about people who apply for jobs, or about employees, contractors and other staff members. This amendment, which was the most watched, means employers may continue to collect and retain personal information (including emergency contact information and information necessary for the administration of benefits) about their workers and those who aspire to work for them.

Businesses will still be required to give privacy notices to their employees, contractors and job applicants detailing the types of personal information being retained about them, but they will not have to provide these individuals with access to that information, nor must they allow them to opt out of having it sold to third parties or comply with demands that it be deleted.

There is an important limitation, however: This exemption will sunset on January 1, 2021. That means the California legislature will need to revisit this issue next year and decide at that time whether to keep the exemption in place or to consider more comprehensive employee-privacy legislation.

The second amendment, which deals primarily with business-to-business transactions, exempts personal information collected by companies when they are communicating or conducting transactions with other companies, including when they are performing due diligence or providing or receiving products and services. The exemption applies when the information is imparted by a business contact who is not acting on their own personal behalf, but in their capacity as an employee, owner, director, officer or contractor of another business.

Companies will not be required to notify other company contacts they are keeping their information on file, nor give them access to that information or the opportunity to have it deleted.

The amendment does not, however, stop business contacts from demanding that their information not be sold to third parties. Nor does it negate the business’s anti-discrimination obligation, which prevents a business from treating customers, including business customers, differently when they choose to exercise their rights under the law.

As with the employee exemption, this exemption will sunset on January 1, 2021. Even though companies have been given more leeway in handling information they collect during business-to-business transactions, they should still be careful about how they construct and share marketing or other lists containing the data of business.

This amendment also clarifies the relationship between the CCPA and the Fair Credit Reporting Act (FCRA). Specifically, the CCPA will not apply to activities authorized by the FCRA that allow consumer reporting agencies to collect, maintain, disclose, sell or communicate information about a consumer’s credit worthiness. This includes the customer’s credit standing, credit capacity, character, general reputation, personal characteristics or mode of living. Nor will the law apply to the people or entities that provide information to consumer reporting agencies or to the users of the consumer reports.

This amendment also clarifies that, as businesses attempt to comply with the CCPA, they are not required to collect or retain personal information they would not otherwise obtain and store in the ordinary course of their business.

The amendment also clarifies that businesses are not required to comply with a consumer’s request for disclosure about their personal information being stored until the business has verified the consumer’s identify. It clarifies that the verification of identity should be reasonable in light of the personal nature of the information requested, and that consumers who already maintain accounts with businesses may be required to submit their request through those accounts. While the amendment grants flexibility to businesses in creating their own verification procedures, we expect further guidance on verification requirements to be part of the Attorney General’s rulemaking process, which will result in the issuance of regulations on or before July 1, 2020.

Consumer requests, particularly for access and deletion, introduce obvious privacy and security concerns. An individual’s personal information could be inadvertently shared with people in their own household as a result of requests by other family members. It could be subject to unauthorized requests by identity thieves. Fraudsters might try to exploit weaknesses in the authentication procedures to obtain the personal information of potential victims.

For those reasons, businesses will need to carefully consider how to best verify a consumer’s identity, and the impact of the request itself, as they comply with the CCPA. This process will be especially challenging for companies with respect to individuals who establish an authentication mechanism with the business, such as would ordinarily occur when an individual opens an account.

The third amendment modifies the definition of “personal information” under the CCPA to mean information that is “reasonably” capable of being associated with a consumer or household. This amendment explicitly exempts any data that has been “de-identified” or expunged of markers that tie it to specific individuals, as well as aggregate consumer information and information obtained from public government records (regardless of the purpose of using the information).

Businesses that intend to rely on the exclusion of de-identified or aggregate consumer information when storing information about consumers will need to carefully examine the CCPA’s definitions of those terms.

The fourth amendment is about vehicle information and exempts some of the consumer information transmitted between automotive dealers and vehicle manufacturers when vehicle repairs are covered by a manufacturer’s warranty. Consumers will not be able to prevent their personal information from being shared between dealers and car makers, nor demand that it be deleted, if the information is necessary for the businesses to fulfill the terms of a written warranty or product recall.

The fifth amendment addresses the ways in which consumers can make requests for their information and clarifies that business are generally required to provide at least two methods of contact, including a toll-free telephone number. If the business operates exclusively online and has a direct relationship with a consumer, it will need to provide only an email address for submitting the requests. If the business maintains a website, it will be required to provide a website for submitting requests.

The sixth amendment, which relates to “data brokers,” is not technically part of the CCPA, but sets rules for businesses that collect and sell personal information about consumers with whom they do not have a direct relationship. “Direct relationships” are not specifically defined, but the legislation suggests they can be formed when consumers visit a business’s premises or website, when they intentionally interact with a business’s online advertisements or when they have some level of knowledge or control over the business’s collection of their data.

Data brokers will be required to register with the Attorney General and will have to pay a fee and disclose both their contact information and information regarding their data collection practices. This information will be published in a public database maintained by the Attorney General. Failure to register could subject the data broker to injunctions and penalties of $100 per day.

Those are the six amendments passed by the California legislature.

A seventh amendment about customer loyalty programs failed. It would have clarified that the CCPA does not prohibit businesses from offering consumers who participate in their voluntary loyalty or rewards programs a different set of prices, rates, levels or quality of goods or services than is offered to other consumers. It would have also prohibited businesses from selling personal information collected as part of loyalty or rewards programs to third parties unless the consumer provided express consent and the third party used the information only for purpose of identifying the consumer as an eligible member of the program.

Based on the text of the law, the regulations created by the Attorney General can be expected to include updating definitions and categories of personal information, establishing additional exemptions and establishing additional rules and procedures related to consumer information requests, opt-out requests and compliance with notice requirements.

The Attorney General can begin enforcement of the CCPA six months after the publication of the regulations or July 1, 2020 – whichever comes first. But the enforcement actions will most likely consider compliance going back to the January 1, 2020 effective date.

Therefore, with the expectation that Governor Newsom will sign these bills into law, it would be prudent for businesses to evaluate carefully how they apply to their operations and implement any necessary changes sooner rather than later.


Tags: California Consumer Privacy Act (CCPA)Reputation Risk
Previous Post

The Whys, Whats and Hows of an Independent Assessment of a Target

Next Post

Does Increased Compliance Mean More Fraud?

Michael Morgan and Wendy Zhang

Michael Morgan and Wendy Zhang

Michael Morgan is a leader of the Global Privacy and Cybersecurity practice at McDermott Will & Emery. Recognized as one of the nation’s leading lawyers in cybersecurity, Mike has guided clients through some of the largest and most complex data breaches, breaches involving more than 50 million records and incidents affecting persons in over 100 countries around the world. He counsels clients on compliance with U.S. and international regulations relating to cybersecurity and data privacy, including compliance with the EU’s General Data Protection Regulation and China’s Network Security Law.
Wendy Zhang focuses her practice at McDermott Will & Emery on privacy and cybersecurity matters. Wendy provides compliance advice and guidance on the impact of evolving domestic and international privacy regimes. She has experience advising clients on the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other data security and privacy laws and regulations, including the Gramm-Leach-Bliley Act (GLBA), Regulation S-P, the Health Insurance Portability and Accountability Act (HIPAA) and data breach notification laws.

Related Posts

cfpb building sign

What Does Weakened CFPB Mean for FinServ Compliance?

by Carrie Pallardy
April 30, 2025

Federal deregulation doesn't mean compliance professionals can relax. CCI contributing writer Carrie Pallardy investigates the implications of a weakened Consumer...

federal trade commission building

[Q&A] Big Tech & Free Speech Under the Microscope: FTC’s New Direction

by FTI Consulting
April 28, 2025

What compliance teams need to know about the changing approach to consumer protection and data privacy

data governance concept

The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening

by Brian McGinnis and Maddie San Jose
April 16, 2025

Despite the absence of comprehensive federal privacy legislation, American businesses face mounting regulatory pressure from multiple directions. Brian McGinnis and...

examining data on laptop screen

Privacy Rights Surge Forces Rethink of Data Management

by Gal Ringel
March 14, 2025

As global privacy regulations multiply, organizations face mounting pressure to efficiently respond to data subject requests amid complex data environments

Next Post
man in silhouette with long nose; concept of lies, deceit

Does Increased Compliance Mean More Fraud?

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights