Cybersecurity Response to the California Consumer Privacy Act
Who Does CCPA Impact?
- Has a gross annual revenue of $25 million or more.
- Annually purchases or receives for commercial purposes, or sells or shares for commercial purposes, personal information for 50,000 or more consumers, households, or devices in the state of California.
- Or generates 50 percent or more of their annual gross revenue from selling personal information.
Impact to Companies that Handle Data
- CCPA requires companies with joint partnerships or who are sharing emails with third parties to comply with the same regulations
- CCPA-mandated companies have to allow users to opt-out and must offer several notification methods
- CCPA-mandated companies cannot discriminate against users who choose to opt-out of the sale of information
Understanding Recent Amendments to CCPA
- AB 25 exempts employee data and beneficiary and emergency contact data from CCPA’s scope until January 21, 2021. Companies must still provide a privacy notice to employees, as well as the direct right of action in case of breach.
- Amendment AB 874 spells out the definition of personal information by clarifying that personal information does not include de-identified or aggregated consumer information.
- Amendment AB1564 permits a business that operates exclusively offline and has a direct relationship with a consumer from whom it collects personal information to only provide an email address for submitting requests to exercise various CCPA rights. Also, a FCRA expansion clarifies that as long as you’re meeting the requirements for FCRA, it is exempt from CCPA.
- Amendment AB1146 exempts vehicle information shared between a new auto dealer and a vehicle manufacturer when information is shared or retained pursuant to, or in anticipation of, a vehicle repair relating to warranty work or recall.
- Amendment AB1355 adds an exclusion of de-identified and aggregate information from the definition of personal information with other clean-up changes. This amendment includes a B2B exception until January 21, 2021 for information collected in the context of the business of conduction due diligence regarding a company, nonprofit, or government agency, or the information is collected in the provision or receipt of a product or service to or from a company, nonprofit, or government agency. Also, as part of the new amendments, new requirement AB 1202 defines and requires data brokers to register as a data broker and provide certain information to the attorney general.