May the 4th be with Alastair Mactaggart?
Some good news for CCPA-regulated “businesses”
- Limit businesses’ liability for violations of the law by “third-party” businesses.
- Create an operationally significant limited exception to deletion and access rights for many types of unstructured data.
- Clarify the definition of “sale” and differentiate and exempt from the “Do Not Sell” right and the CCPA “selling” notice requirements, the “sharing” of personal information for cross-context behavioral advertising in some instances.
- Clarify that businesses may offer loyalty, rewards, premium features, discounts or club card programs.
- Amend the second threshold of the definition of a “business” to remove “devices.” and increase the number of consumers or households from 50,000 to 100,000 or more, thereby exempting more small businesses.
- Exempt businesses from needing to provide access to “specific pieces of personal information” from data generated to help ensure security or integrity or as prescribed by regulation.
- Extend the employee and business-to-business moratoria to Jan. 1, 2023, allowing time to address employee privacy questions in a separate bill.
Some bad news for CCPA “businesses” and “service providers”
- Category of personal information, sensitive data, defined (somewhat differently than under the GDPR) as government identifiers, account and login information, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email and text messages, genetic data, and certain sexual orientation, health and biometric information.
- Set of requirements for this sensitive data, including a right to “Limit the Use of My Sensitive Personal Information” and special website link and additional data minimization requirements.
- Right to limit the use of sensitive data for any secondary purpose and a new notice requirement to provide a separate link titled “Limit the Use of My Sensitive Personal Information” or accommodate an optional technical signal solution.
- Right to data minimization, as well as providing notice to consumers about the length of time each category of personal information will be retained.
- Right to correct inaccurate personal information.
- Right to know, access and receive personal information collected before the 12-month lookback period for data collected on or after Jan. 1, 2022.
- Direct obligations on service providers to assist businesses with CPRA compliance activities.
- Definition of cross-context behavioral advertising and limitations that, as noted above, exempts certain analytics functions but clearly targets this activity to do-not-sell obligations.
- Type of business covered under the CCPA — a joint venture or partnership composed of businesses in which each business has at least a 40% interest.
- Inclusion of email account credentials in the categories of personal information potentially subject to the CCPA “reasonable security” private right of action under Section 1798.150(a).
Enforcement and fines
Also on the state privacy law horizon
All this state activity may generate new interest in a federal privacy law.
This article has been reprinted from the IAPP Daily Dashboard.