Amendments to the California Consumer Privacy Act (CCPA; AB-375, Cal. Civ. Code § 1798.100 (2018)) passed both the Senate and the Assembly on Sept. 13, finalizing the data privacy regulation and ending a year-long debate over what would eventually be enforced and how. The amendments clarified sections of the bill pertaining to personal data, the private right of action, employee privacy requirements and several other issues.
The CCPA is a landmark in data privacy legislation for the United States. The law itself was inspired by the GDPR, and has, in turn, influenced several data privacy laws enacted in the U.S. during the past 18 months, most notably in Nevada and Maine.
The amendments have been sent to Governor Gavin Newsom’s desk, and he has until Oct. 13 to take action.
The Electronic Frontier Foundation considered the amendment session to be a great success for data privacy and the protection of private individuals in the face of stiff industry opposition. The amendments that passed make minor changes to the bill, and do not affect the primary goals of the CCPA: to protect data privacy in California and to set a standard equal to the GDPR for other states (and perhaps the U.S. federal government) to follow. Hayley Tsukayama wrote, “[T]he worst provisions of these bills did not make it through the legislature …. Lawmakers proposed bills that would have opened up loopholes in the law and made it easier for businesses to skirt privacy protections if they shared information with governments, changed definitions in the bill to broaden its exemptions, and made it easier for businesses to require customers to pay for their privacy rights.”