After months of wrangling, the California legislature has finally passed a set of significant amendments to the California Consumer Privacy Act (CCPA), a sweeping data privacy and security law commonly referred to as “California’s GDPR” (Europe’s General Data Protection Regulation). Employee personal information and personal information obtained in business-to-business (B2B) interactions are now mostly out of scope. Personal information in credit reports and other data covered by the Fair Credit Reporting Act is also largely exempt. Only personal information that is “reasonably” capable of being associated with a consumer or household is subject to the act. And aggregate or deidentified information definitively does not qualify as CCPA personal information.
These and several other amendments that passed represent significant changes to the CCPA. They should substantially ease compliance burdens and correct some — but not all — of the drafting anomalies and other aspects of the act that have been the source of uncertainty.
California legislators also passed the state’s first data broker registry law. Businesses that no one typically thinks of as traditional “data brokers” may now be required to register with the California Attorney General, disclose “any additional information or explanation the data broker chooses to provide concerning its data collection practices” and pay annual registration fees. California’s law tracks the Vermont Attorney General’s interpretation of that state’s data registry law, which similarly views “sale” as including not just traditional sales but the exchange of personal information for nonmonetary consideration.