CCPA amendments are useful but ‘no magic bullet’

New amendments to California privacy laws are helpful, but PE firms should still be mindful of the compliance challenge.

The California legislature has passed bills to amend the CCPA. The amendments will add clarity to certain provisions – and should make the regime less onerous to comply with – but managers still face serious obstacles in complying by January 1, 2020, say lawyers.

“It’s really a bit of a patchwork right now in terms of these amendments,” said Melissa Bender, asset management partner for Ropes & Gray in San Francisco/Silicon Valley. “Certainly, these are improvements, and they’re helpful, but we’ve been advising clients to be mindful of the fact that these are not magic bullet solutions in terms of making the CCPA go away.”

Amendment AB-25 details the exemption of personal information collected by businesses about employees and exempts personal information collected by a business when it is collected with respect to a natural person – ie, consumer, California resident – or employees, owners, officers, etc and is used in the context of that collection. The provision also contains a sunset period of a year. In other words, companies will not need to worry about CCPA as it related to their own employees until January 1, 2021.

“So when you think about how this [AB-25] impacts a company in real time, one important item companies need to address is their privacy notices,” says Catherine Skulan, asset management counsel at Ropes & Gray in San Francisco. “You might have an outward facing one for consumers as that term is used in everyday language, and a more inward facing one with respect to employees.”

As with customers, a business will also need to inform its California-resident employees about the types of personal information it is collecting about them and why.

The AB-1355 amendments implement a number of changes to make the law less onerous. One amendment updates the definition of personal information to encompass the consumer and household, another addresses B2B communications transactions by allowing a one-year sunset period. 1355 also clarifies that class-action lawsuits may not be brought forward regarding “data breach personal information,” exempts deidentified and aggregate information from the statute, as well as detailing that goods or services are measured in relation to the value of the personal information to the business, not the consumer.

In a recent Q&A, Dan Silver of Clifford Chance talked about the effect laws have on the private equity industry. “For most fund managers, we don’t expect a drastic operational impact except in the use of large data sets, which pose higher risks.”