california capitol The Consumer Privacy Act applies to companies with gross revenues of $25 million or more and that receive, sell or share personal information about more than 50,000 Californians or that derive more than half their revenue from selling customer data. (Photo: Jason Doiy/ Recorder)

State lawmakers have sent to Gov. Gavin Newsom what will likely be the final amendments to the California Consumer Privacy Act before the landmark data-privacy bill goes into effect on Jan. 1.

The proposed changes offer some clarification for businesses and employers, but they also renewed calls from the tech industry for the U.S. Congress to override the new state law that lets consumers know, and in some cases control, what information companies collect about them.

"Actions taken by the Legislature this year will improve the California Consumer Privacy Act, but many clarifications are still necessary before it will work for consumers and businesses," Courtney Jensen, Technet's executive director for California, said in a statement. "The importance of federal action to avoid a patchwork of privacy laws has never been clearer, and we urge Congress to act."

The amendments do not reflect the broadest changes sought by both advocates and critics of the California Consumer Privacy Act, or CCPA. There will be no private right of action. There are no mass exemptions.

"The most significant thing about CCPA amendments is actually that very few changes will take place," said Lydia de la Torre, of counsel at Squire Patton Boggs. "Most bills were defeated and the changes are modest."

The clock is ticking, however, for employers to comply with the new law.

The Consumer Privacy Act applies to companies with gross revenues of $25 million or more and that receive, sell or share personal information about more than 50,000 Californians or that derive more than half their revenue from selling customer data.

The definition covers employers, too, and the information they collect about job applicants and workers. Amendments sent to the governor, however, give employers a one-year exemption from requirements that they disclose that information upon request. The delay is designed to give labor groups, privacy advocates and business association time to hammer out a compromise about what data employers need to share with their workers.

"Everyone is going to have to sit down with their counsel and say, 'OK, does this exempt me?'" said Philip Recht, partner in charge of Mayer Brown's Los Angeles office. "If they conclude that they are covered to some extent, they have to decide how they're going to comply from a mechanical, operational perspective."

If the law is not amended in 2020 to extend the exemption or permanently change the workplace provisions, employers should "get ready for access requests from current and former employees, which tend to be complicated and time consuming," de la Torre said. "A pitfall to avoid is long retention periods especially for unstructured data" such as emails, she said.

Draft regulations that may also offer more compliance guidance to employers are due from Attorney General Xavier Becerra this fall.

Becerra's office earlier this year asked for public comments on a wide range of Consumer Privacy Act topics, including possible exemptions from the law and requirements for complying with requests for data. The attorney general will begin enforcing the new law in July.

Here are other key Consumer Privacy Act bills sent to the governor:

>>> AB 1355 creates a one-year exemption shielding business-to-business communications and transactions from certain disclosure provisions. The bill also authorizes the attorney general to decide what constitutes a "verifiable consumer request" for information in an attempt to ensure that personal data does not fall into the wrong hands.

>>> AB 1146 allows a business to keep customers personal information if that data is necessary to provide a warranty or product recall information.

>>> AB 874 clarifies that the definition of personal information under the Consumer Privacy Act does not include "deidentified" or aggregate consumer data. The measure adds business-sought language clarifying that personal information must be "reasonably capable" of being associated with a particular consumer or household, as opposed to just "capable," to be subject to the law's disclosure requirements.

Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.

Your access to unlimited BenefitsPRO content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking benefits news and analysis, on-site and via our newsletters and custom alerts
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Mike Scarcella

Mike Scarcella is a senior editor in Washington on ALM Media's regulatory desk. Contact him at [email protected]. On Twitter: @MikeScarcella. Mike works on a slate of newsletters: Supreme Court Brief | Higher Law | Compliance Hot Spots | Labor of Law.