Upcoming CCPA Amendments

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
4 hours 41 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Transcription
00:00
welcome everyone to the very last module in Sai Buri CCP a course.
00:05
Congratulations on just how far we have all made it.
00:09
Where do we go from here?
00:11
This is, I think, a critical module because the C C P. A. Is consistently changing,
00:16
and you all need to be aware of the evolutions that the law is going to pursue in the coming years.
00:23
Let's jump right into it. This is where we are in our course outline.
00:27
I could not be happier to have finally made it to the last module. In the course with you,
00:32
we're going to be referencing some of the privacy underlining obligations that we discussed earlier in the course and also be taking a forward looking approach to seeing again where the law will go from here
00:44
less than 10.1.
00:46
I need to bring through and summarize for you Ah, variety of CCP amendments that have all passed in the recent months since we actually began recording.
00:57
These are the learning goals and objectives
00:59
we're going to identify son. I think there's seven CCP, a amendments that have gone through in the fall of 2020.
01:06
They're all business friendly
01:07
Let's also keep in mind why these amendments passed.
01:11
Think about what type of problem the amendment was seeking to cure,
01:15
similar to the GDP. Our session. This is going to be a rapid fire review of all the amendments.
01:21
Let's jump right into it.
01:23
A B 25.
01:25
By the way, if at any point you want to pause the video and Google it, I strongly encourage you to do that.
01:30
Just type in the letter C C p. A. And then the actual amendment number
01:34
A B stands for Assembly Bill and then the number in which that bill was introduced into the Legislature in California.
01:41
I'm not a congressional expert, but I'm pretty sure what that stands for.
01:45
A B 25 extended the exemption for employee data through January of 2021.
01:51
Reading through the tea leaves, it looks like it's actually going to go through all the way to 2023.
01:56
The personal information of employees is not going to be in scope until 2023.
02:01
However,
02:02
should the amendment not be passed, then extending it beyond 2021
02:07
we actually could assume that employee data is within scope,
02:12
but I strongly predict that a B 25 is going to be clarified to push all the way through to 2023.
02:19
That's very relevant right now because most workforces are working remotely
02:23
to bring the point home.
02:23
Worry about your consumer base.
02:27
Don't worry about your employee data for now.
02:31
Publicly available information.
02:34
Previously, if you remember personal information that was publicly available but then used in a manner that was different for the reason why it was made publicly available in the first place
02:45
would trigger a CCP a obligation.
02:46
That rule has been changed.
02:50
Now, so long as the personal information is now publicly available somewhere, it falls outside of scope with the C c. P A.
02:58
The purpose for why that information is publicly available
03:00
is now inconsequential.
03:04
I think there's going to be more clarification on this, a B 2 74.
03:07
Feel free to Google that at the time you watch this video because it's an open question mark on whether social media content and things like that are considered publicly available.
03:16
They're not publicly published records like government records,
03:21
but they are generally viewed and considered as publicly available.
03:24
Keep an eye on a B 2 74
03:29
a b 1146
03:30
There are extra deletion exemptions.
03:32
Basically, this is one of the reasons why a company can refuse to honor a deletion request.
03:38
The automotive industry realized, Hey, we need to hold onto vehicle and warranty information.
03:45
We can't delete that. Even if an individual wants that information to be deleted
03:50
employees and job application information that also can be held onto by human resource departments,
03:57
they don't need to delete it
03:58
again. That's following up on Item number three here.
04:01
HR is basically getting MAWR reasons to not delete personal information,
04:06
a big development in the financial services arena.
04:10
Credit history and worthiness data also need not be deleted.
04:15
That's strongly impacts individuals as they try to take out alone.
04:18
They don't want their old creditworthiness information out there,
04:21
particularly if they had a bad credit history.
04:25
Hey, delete that.
04:27
I'm a new person now.
04:28
I have a new job. I paid off my debts.
04:30
Too bad
04:31
your previous credit history is going to follow you
04:35
a B 15 64. This actually came up last week. It worked for me.
04:41
If a company is on Lee doing business online, it does not need to provide a 1 800 number.
04:46
In that case, I was supporting a FINTECH client as they were developing their ad on solution that they provide to a baking partner of theirs.
04:55
In their scenario, they don't have a brick and mortar business.
04:59
It's actually all done through an app.
05:00
They were asking themselves,
05:02
Why do we need to provide a 1 800 number? It says so under the law.
05:06
Actually, a B 15 64 clarifies that
05:12
if it is a digital company that does business 100% online,
05:16
you don't need to worry about the 1 800 number.
05:19
I actually forgot about this exemption. I had to look it up.
05:21
Please don't forget it.
05:25
A B 13 55.
05:27
There are a variety of business friendly changes.
05:30
Frankly, I would argue that every change up until this point and even beyond this is business friendly.
05:35
Ah, question that people frequently have is
05:39
if you're doing business on behalf of another company and you email that first company with general information because you're just completing your business process,
05:47
does that suddenly trigger the C C. P. A.
05:50
A. B 13 55 clarified this.
05:54
It exempts personal information about the employees of another company during a business to business transactions.
06:00
If you work in the legal department or you work in the Internal Security Department
06:04
and you have to represent to a vendor or to a potential client about the information security protocols of your company to say that they're worthy of getting new business
06:13
Sorry,
06:14
you can't use the C C p A. And have your personal information deleted from whatever company you were making those representations to whatever company you were sending emails to
06:24
Item number two here under a B 13 55
06:27
they've gotten much more generous with the definition of a data breach.
06:30
Now, personal data needs to be both unencrypted and unredacted to be considered an actual data breach.
06:39
Previously, companies were sometimes truncating their information.
06:42
For example, the last four of your social.
06:45
If that links out, is that considered a data breach
06:48
yes or no?
06:50
That was left as an open question.
06:53
A B 13 55 clarifies In order for it to be a breach, it needs to be both unencrypted and unredacted,
07:01
basically meaning if you breach redacted information,
07:05
you're going to be okay.
07:06
It needs to be both unredacted and unencrypted.
07:11
This is big in the financial services. Face
07:14
data. Brokers must now register with the attorney general
07:17
again. Remember, the definition of a data broker is any business that knowingly collects or sells information to third parties.
07:26
This is hot I've seen lately in the Geo location space as well as the contact tracing space.
07:31
So in the context of covert 19,
07:33
basically, if you are working or supporting for a company that is transferring, forget buying and selling for a moment. Just transferring
07:41
large amounts, large volumes of personal information from one business to another.
07:46
If you are helping effectuate that,
07:48
you might need to have a serious conversation internally with your stakeholders to determine
07:54
whether or not you should be registering as a data broker,
07:58
then we can have a larger conversation about whether or not the practice you are supporting countless selling.
08:03
You do need to figure out whether or not a B 12 02 applies to you.
08:09
In summary, I counted it right.
08:11
There have been seven amendments that have recently passed under the C c. P A.
08:16
I view these as the Legislature's general attempt to address some inconsistencies.
08:20
I think you will agree with me. With the exception of the data broker registration, thes air, all business friendly amendments,
08:28
the point is clear.
08:28
They want the CCP A to be more business friendly.
08:31
We'll see where that train goes.
08:33
I'll see you in the next lesson
08:35
as we discuss more changes coming to the land of the California Consumer Privacy Act,
08:41
I'll see you there.
Up Next
California Consumer Privacy Act (CCPA)

This course examines the privacy obligations that are established by the California Consumer Privacy Act (CCPA) and how students can help their employers implement changes to their organizations to remain compliant with this new law.

Instructed By