Update: the Governor of California, signed Senate Bill 1121 on September 23, 2018, ratifying the amendments described below.
On August 31, 2018, the California State Legislature passed Senate Bill 1121, amending the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA, which contains the broadest consumer data privacy protections in the country, was hastily passed in June to forestall an advocacy group from putting a more restrictive bill before voters in a November referendum. Since then, the CCPA has been widely criticized, including by California’s own attorney general. Now, it appears, California lawmakers are busy trying to clean up the CCPA before it goes into effect in January 2020.
While leaving the most significant provisions of the CCPA intact, such as the right of consumers to request that a business delete their personal information, SB 1121 makes many substantive changes, including, among others, the following:
- Clarifies that personal information includes, but is not limited to, multiple types of information so long as such information “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
- Removes references to California’s Unfair Competition Law (Business and Professions Code Section 17206) and changes the civil penalty for violations of the CCPA to $2,500 per violation or $7,500 for each intentional violation from the current $7,500 per violation.
- Eliminates the requirement that a consumer notify the Attorney General of an alleged violation of the CCPA before initiating a private action.
- Extends the deadline by which the Attorney General is required to adopt regulations to implement the CCPA from January 1, 2020 to July 1, 2020.
- Requires the Attorney General to wait until six months after the publication of the final regulations, or six months from July 1, 2020, whichever is sooner, before beginning any enforcement action under the CCPA.
- Creates an exception to the CCPA for providers of health care who are subject to the data privacy requirements of Health Insurance Portability and Accountability Act of 1996.
- Creates an exception to the CCPA for information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects.
- Clarifies the interaction between the Gramm-Leach-Bliley Act and the CCPA, and excludes personal information collected, processed, sold, or disclosed pursuant to California’s Financial Information Privacy Act.
- Clarifies that the obligations of the CCPA do not apply to the extent they infringe upon the non-commercial activities of a person or entity as described in subdivision (b) of Section 2 of Article I of the California Constitution.
Even though the revisions are significant, they do little to answer many questions businesses likely have (and should have) regarding its implementation. Further, as discussed above, the revisions do not affect the material rights the CCPA confers on consumers. Therefore, businesses should continue to plan carefully to achieve compliance with the CCPA by the January 2020 implementation date.
Click here for an overview of the CCPA, and our recommendations on preparing for it.
Click here for a redline comparison of the CCPA and SB 1121 to review the changes in greater detail.