Last week, the California Assembly’s Committee on Privacy and Consumer Protection, which exercises jurisdiction over privacy and personal information protection matters, approved several amendment bills intended to clarify and narrow the scope of the California Consumer Privacy Act (CCPA or the Act). In January 2020, the CCPA will impose landmark burdens and obligations on businesses that in many respects go beyond those required by the EU’s General Data Protection Regulation (GDPR). Businesses nationwide will be challenged with reconciling the ambiguities in the Act, which is presently expected to look back on data collection and processing activities from as early as January 2019. Further complicating the matter is the fact that the law has been amended once and requires implementation of regulations by the California Attorney General that are not expected to be finalized until at least the end of this year.
The amendments approved by the Committee include three key clarifications of the CCPA:
(i)Employees are not “consumers” for the purposes of the CCPA;
(ii)”Personal information” will no longer include information that is merely “capable of being associated” with a particular individual and will exclude “household”-level information; and
(iii)The definition of “Deidentified” information will exclude information “capable of being associated with” a particular individual.
These amendments are not yet law, but their consideration and progress point to the continuing uncertainty that pervades global regulation of privacy and data protection. They also suggest that California legislators are beginning to appreciate the magnitude and business consequences of this sweeping new law.
To read more on the proposed CCPA amendments, click here.