welcome everyone to the very last module in Sai Buri CCP a course.
Congratulations on just how far we have all made it.
Where do we go from here?
This is, I think, a critical module because the C C P. A. Is consistently changing,
and you all need to be aware of the evolutions that the law is going to pursue in the coming years.
Let's jump right into it. This is where we are in our course outline.
I could not be happier to have finally made it to the last module. In the course with you,
we're going to be referencing some of the privacy underlining obligations that we discussed earlier in the course and also be taking a forward looking approach to seeing again where the law will go from here
I need to bring through and summarize for you Ah, variety of CCP amendments that have all passed in the recent months since we actually began recording.
These are the learning goals and objectives
we're going to identify son. I think there's seven CCP, a amendments that have gone through in the fall of 2020.
They're all business friendly
Let's also keep in mind why these amendments passed.
Think about what type of problem the amendment was seeking to cure,
similar to the GDP. Our session. This is going to be a rapid fire review of all the amendments.
Let's jump right into it.
By the way, if at any point you want to pause the video and Google it, I strongly encourage you to do that.
Just type in the letter C C p. A. And then the actual amendment number
A B stands for Assembly Bill and then the number in which that bill was introduced into the Legislature in California.
I'm not a congressional expert, but I'm pretty sure what that stands for.
A B 25 extended the exemption for employee data through January of 2021.
Reading through the tea leaves, it looks like it's actually going to go through all the way to 2023.
The personal information of employees is not going to be in scope until 2023.
should the amendment not be passed, then extending it beyond 2021
we actually could assume that employee data is within scope,
but I strongly predict that a B 25 is going to be clarified to push all the way through to 2023.
That's very relevant right now because most workforces are working remotely
to bring the point home.
Worry about your consumer base.
Don't worry about your employee data for now.
Publicly available information.
Previously, if you remember personal information that was publicly available but then used in a manner that was different for the reason why it was made publicly available in the first place
would trigger a CCP a obligation.
That rule has been changed.
Now, so long as the personal information is now publicly available somewhere, it falls outside of scope with the C c. P A.
The purpose for why that information is publicly available
is now inconsequential.
I think there's going to be more clarification on this, a B 2 74.
Feel free to Google that at the time you watch this video because it's an open question mark on whether social media content and things like that are considered publicly available.
They're not publicly published records like government records,
but they are generally viewed and considered as publicly available.
Keep an eye on a B 2 74
There are extra deletion exemptions.
Basically, this is one of the reasons why a company can refuse to honor a deletion request.
The automotive industry realized, Hey, we need to hold onto vehicle and warranty information.
We can't delete that. Even if an individual wants that information to be deleted
employees and job application information that also can be held onto by human resource departments,
they don't need to delete it
again. That's following up on Item number three here.
HR is basically getting MAWR reasons to not delete personal information,
a big development in the financial services arena.
Credit history and worthiness data also need not be deleted.
That's strongly impacts individuals as they try to take out alone.
They don't want their old creditworthiness information out there,
particularly if they had a bad credit history.
I'm a new person now.
I have a new job. I paid off my debts.
your previous credit history is going to follow you
a B 15 64. This actually came up last week. It worked for me.
If a company is on Lee doing business online, it does not need to provide a 1 800 number.
In that case, I was supporting a FINTECH client as they were developing their ad on solution that they provide to a baking partner of theirs.
In their scenario, they don't have a brick and mortar business.
It's actually all done through an app.
They were asking themselves,
Why do we need to provide a 1 800 number? It says so under the law.
Actually, a B 15 64 clarifies that
if it is a digital company that does business 100% online,
you don't need to worry about the 1 800 number.
I actually forgot about this exemption. I had to look it up.
Please don't forget it.
There are a variety of business friendly changes.
Frankly, I would argue that every change up until this point and even beyond this is business friendly.
Ah, question that people frequently have is
if you're doing business on behalf of another company and you email that first company with general information because you're just completing your business process,
does that suddenly trigger the C C. P. A.
A. B 13 55 clarified this.
It exempts personal information about the employees of another company during a business to business transactions.
If you work in the legal department or you work in the Internal Security Department
and you have to represent to a vendor or to a potential client about the information security protocols of your company to say that they're worthy of getting new business
you can't use the C C p A. And have your personal information deleted from whatever company you were making those representations to whatever company you were sending emails to
Item number two here under a B 13 55
they've gotten much more generous with the definition of a data breach.
Now, personal data needs to be both unencrypted and unredacted to be considered an actual data breach.
Previously, companies were sometimes truncating their information.
For example, the last four of your social.
If that links out, is that considered a data breach
That was left as an open question.
A B 13 55 clarifies In order for it to be a breach, it needs to be both unencrypted and unredacted,
basically meaning if you breach redacted information,
you're going to be okay.
It needs to be both unredacted and unencrypted.
This is big in the financial services. Face
data. Brokers must now register with the attorney general
again. Remember, the definition of a data broker is any business that knowingly collects or sells information to third parties.
This is hot I've seen lately in the Geo location space as well as the contact tracing space.
So in the context of covert 19,
basically, if you are working or supporting for a company that is transferring, forget buying and selling for a moment. Just transferring
large amounts, large volumes of personal information from one business to another.
If you are helping effectuate that,
you might need to have a serious conversation internally with your stakeholders to determine
whether or not you should be registering as a data broker,
then we can have a larger conversation about whether or not the practice you are supporting countless selling.
You do need to figure out whether or not a B 12 02 applies to you.
In summary, I counted it right.
There have been seven amendments that have recently passed under the C c. P A.
I view these as the Legislature's general attempt to address some inconsistencies.
I think you will agree with me. With the exception of the data broker registration, thes air, all business friendly amendments,
They want the CCP A to be more business friendly.
We'll see where that train goes.
I'll see you in the next lesson
as we discuss more changes coming to the land of the California Consumer Privacy Act,