The California Consumer Privacy Act (CCPA) which is applicable to the collection and processing of the personal data of Californian residents is set to become effective from 1st January 2020.
CCPA has already distinguished itself by its honest approach to privacy protection by specifically admitting the possibility of “Sale of Personal Data”. Unlike GDPR which does not provide clarity on whether personal data may be “Sold” even when there is an “Explicit Consent” and leaves the data processing companies in doubt, CCPA is clear in its prescriptions.
CCPA also recognizes a “Financial Value” for the personal data, recognizes the right of ownership of the data subject to deal with it even in commercial terms. While Privacy activists may debate the ethics of “Trading of Personal Data”, the fact is that this provision gives some breathing space for data dependent businesses.
Now before the act becomes effective, some amendments have been proposed and is likely to be discussed and probably passed before the January 1, 2020 deadline for implementation.
The Six amendments are as follows.
- Reasonable Authentication:
CCPA shall allow a consumer to submit requests through a “Consumer Account”, if the customer maintains an account with the business.
The employee information collected in the course of a natural person acting as a job applicant, employee, owner,director, officer,medical staff member or contractor is exempted from the definition of personal information for one year (until January 2021)
The exemption also covers employee emergency contact information and information used to administer benefits, but it does not apply to a business’s obligation to provide notice to employees about its collection practices or employees’ eligibility for the data breach provision’s private right of action.
2. Classification of Personal Information
This amendment adds the phrase “reasonably capable of being associated with . . . a particular consumer or household.” to the definition of how a data is identified as a personal data.
The bill also clarifies that any information made available by federal, state or local government is “publicly available” and is not personal information.
The amendment also eliminates the provision of the CCPA stating that publicly available information that a company uses in a manner incompatible with the purpose for which it was originally collected by the government is considered covered personal information.
It also clarifies that personal information does not include de-identified or aggregate information
3. Right to Forget
The amendment adds a new exception to a consumer deletion request that allows a business to deny the request if the information is needed to “fulfill the terms of a written warranty or product recall conducted in accordance with federal law.”
It also creates an industry-specific exemption from the right to opt out of the sale of personal information for vehicle or ownership information maintained or shared between an automobile dealer and a manufacturer if it is maintained or shared for certain purposes.
4. Data Brokers
This amendment requires “data brokers” – defined as a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” – to register with the California attorney general.
5. Miscellaneous amendments
a) A one-year exemption to be provided for personal information exchanged in certain business-to-business communications.
b) A covered business does not have to collect or retain consumer information for CCPA purposes that it would not otherwise collect or retain in its ordinary course of business.
c) Businesses must disclose to consumers their right to request specific pieces of information a business has collected about them, and includes some changes to the CCPA’s exception for consumer-credit information covered by the Fair Credit Reporting Act (FCRA)
6. Exemption from Toll free phone number
An exclusively online business with a direct relationship with a consumer need not provide a toll-free phone number to which consumers can submit a request for disclosure of information. It need only provide consumers with an email address.
Additional clarification in the form of draft regulations is expected from the California attorney general in late October or early November.
It is also expected that California may also pass a State Privacy Legislation soon. Since many other states (16 by last count) are following the steps of CCPA, the changes in CCPA is likely to have wide impact on the Privacy protection regime in USA.
There is a need to closely watch the developments in the Privacy regime overtaking USA for Indian businesses to structure their compliance measures.