Skip to main content
Top Button
Countdown to CCPA – California Legislature Approves CCPA Amendments Countdown to CCPA – California Legislature Approves CCPA Amendments

Countdown to CCPA – California Legislature Approves CCPA Amendments

In a client alert published last month, we provided a brief overview of seven major amendments to the California Consumer Privacy Act (“CCPA”) pending before the California Senate and how they might amend the CCPA. Since then, the legislature further revised at least two of the proposed amendments, including AB 1355 and AB 846.[1] On September 13, 2019, the California Senate and Assembly finalized and approved six of the seven amendments. The amended CCPA will now be presented to the Governor for signature or veto, either of which must be given by October 13, 2019. This article summarizes how each approved amendment affects the CCPA and highlights the CCPA’s influence on recent state and federal privacy legislation that could also affect your business.

Which amendments were approved, and how do they change the CCPA?

Temporary Employee Exemption (AB 25): The amendment exempts certain personal information collected by a business about prospective or current employees. However, this is only a temporary exemption, with the exemption sun setting on January 1, 2021. The intention is to ease the impact of CCPA implementation on many businesses.

Modifications to Key Terms (AB 874): The amendment revises two key terms in the CCPA. First, the amendment expands the “publicly available” exclusion under the definition of “personal information” to include information lawfully made available from government records. Second, a revised definition of “personal information” would exclude deidentified or aggregated consumer information.

Exemption for Vehicle Information (AB 1146): The amendment narrowly exempts “vehicle information” and “ownership information” from the rights of opt-out and data deletion in connection with notifications for vehicle recalls and for warranties.

Additional Technical Amendments (AB 1355): The amendment includes several changes: 1) modifying the definition of “personal information” as information that is “reasonably capable of being associated with” a particular consumer or household, instead of simply “capable of being [so] associated”; 2) adding a one-year B2B communications moratorium other than rights to opt out of sale of one’s personal information and non-discrimination; 3) clarifying that CCPA Section 1798.150 class-action lawsuits may not be brought for data breaches when “data breach personal information” is either encrypted or redacted (not both); 4) clarifying that deidentified and aggregate information are exempt from the statute; and 5) clarifying that the reasonableness of charging a different price or rate or providing a different level or quality of goods or services is measured in relation to the value of the personal information to the business, not to the consumer.
Modification to Consumer Requests for Disclosure Methods (AB 1564): The amendment modifies an existing provision within the CCPA to exempt businesses that operate exclusively online from a consumer request for information requirement. Specifically, businesses that operate exclusively online will be able to meet the CCPA’s consumer request requirement by providing consumers with an email address only, instead of also offering a toll-free telephone number.

Data Broker Registration (AB 1202): The amendment requires “data brokers” to register with and pay a registration fee to the California Attorney General. A data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

*Note: AB 846, Preserving Customer Loyalty Programs, was not voted on and has been shelved indefinitely.*

How does the CCPA influence recent state and federal privacy legislation?

State Consumer Data Privacy Legislation

Since the CCPA passed in June 2018, several states have established or revamped their consumer data privacy legislation. Nevada, for example, enacted SB 220 in May 2019, a law that prohibits an operator of an Internet website or online service who collects certain information from consumers in Nevada from making any sale of certain information about a consumer if requested by the consumer. Other states—such as Connecticut, Illinois, Louisiana, Maine, and Texas—have enacted data privacy legislation that either similarly regulates data collection and use by companies in each state or creates task forces, advisory councils, and other groups to study the effects of the sale of consumer data. For a comprehensive list of failed, pending, or enacted consumer data privacy legislation in 2019, visit this page provided by the National Conference of State Legislatures (NCSL).

Federal Consumer Data Privacy Legislation

For many data privacy professionals and tech executives, state-by-state consumer data privacy legislation is a fragmented, painstaking solution to a constant, immediate problem. On September 10, 2019, CEOs from 51 tech companies—including Amazon, IBM, and Salesforce—signed a letter addressed to high-ranking members of Congress urging them to develop a comprehensive consumer data privacy law at the federal level. “We are [] united in our belief,” reads the letter, “that consumers should have meaningful rights over their personal information and that companies that access this information should be held consistently accountable under a comprehensive federal consumer data privacy law.”[2] Without any significant traction behind a federal consumer data privacy bill, however, we suggest that our clients continue to monitor state legislation that could impact your business using the NCSL link provided above or by contacting any of our Data Security and Privacy attorneys for consultation.


The CCPA, as now amended and if signed by the Governor, goes into effect on January 1, 2020. For our clients who previously developed new or modified existing data security and privacy policies to comply with the GDPR, complying with the CCPA requires equal attention and specificity. For our clients who were not subject to the GDPR but will be subject to the CCPA, our Data Security and Privacy attorneys can assist you as you navigate complex, technical requirements toward compliance.

Ice Miller has the professionals and experience to help clients develop cybersecurity and privacy programs to comply with the requirements of the CCPA. To speak to an attorney, please contact Nick Merker. Nick Merker is a partner and co-chair of Ice Miller’s Data Security and Privacy Practice Group

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

Fall associate Mason Clark contributed to this publication. 

View Full Site View Mobile Optimized