December 16, 2018

December 14, 2018

Subscribe to Latest Legal News and Analysis

Amendments to the California Consumer Privacy Act of 2018: Progress toward Clarity

Amendments to California’s expansive Consumer Privacy Act of 2018 (“the Act”) include new provisions that may significantly impact the timing of enforcement and provide exemptions for large amounts of personal data regulated by other laws.

The Act, signed into law in June, is a sweeping data privacy law that regulates the processing of personal data of California residents. Because the Act was hastily passed in order to prevent a similar ballot initiative proceeding to a vote in the November elections, it was expected that the Act would undergo significant amendments before it enters into effect on January 1, 2020.

The first amendments were passed by the California State Legislature on August 31, 2018, in the form of SB-1121 (“the Bill”), and Governor Brown has until

September 30, 2018 to sign it. While SB-1121 is labeled as a “technical corrections” bill designed to address drafting errors, ambiguities, and inconsistencies in the Act, in fact, it creates new provisions in addition to those already contained within the Act.

Extension in Enforcement

One notable provision of the Bill is that it grants a six-month grace period from the date the California AG issues regulations or July 1, 2020, whichever is earlier, before enforcement actions can be brought. This extension only applies to the privacy requirements of the law and does not pertain to the data breach class action provisions (including the availability of statutory damages), which will go into effect on January 1, 2020.

If regulations are issued on or before July 1, 2019, an unlikely occurrence since the AG has been given an extension to develop those regulations until July 1, 2020, there will be no six-month grace period.

In any event, the starting date for the enforcement of the Act’s privacy provisions is now entirely unclear.

Exemptions

Another key effect of the Bill is that it fully exempts data that is regulated by the Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, HIPAA, the California Confidentiality of Medical Information Act, the clinical trials Common Rule, and the Driver’s Privacy Protection Act from the privacy requirements of the Act. However, these industries are still subject to the privacy provisions of the Act if they engage in activities falling outside of their applicable privacy regulations (except for the health care industry, if it treats all data as PHI, then it remains exempt as to all data). Nevertheless, these regulated industries are still subject to the data breach class action provisions of the Act.

Technical Corrections

The Bill includes some significant clarifications to the Act, including:

  • Clarifying that data is only personal data if the data “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”

  • Clarifying that provisions allowing private causes of action only apply to data breaches and not the entire Act.

  • Eliminating the California AG’s 30-day screening process for private causes of action.

  • Noting that the Act preempts local laws on the day of its enactment not enforcement (effectively preempting a current San Francisco privacy ballot measure).

  • Stating that the civil penalty for unintentional violations of the privacy provision of the Act is up to $2,500 per violation if the business fails to cure the violation, and up to $7,500 per violation if the violation is intentional.

  • Allocating civil penalties and settlements reached pursuant to the Act to the California Consumer Privacy Fund and deleting the requirement that the jurisdiction which initiated the action receives 80 percent of such funds.

Conclusion

As we previously predicted, the Act will continue to evolve prior to its January 1, 2020 enactment. While the current Bill attempts to clarify the Act, it does not address all of the ambiguities and uncertainties. We anticipate further changes and guidance regarding the Act and will continue to monitor the latest developments.

© Copyright 2018 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Robin Campbell, Squire Patton Bogs Law Firm, Cybersecurity lawyer, healthcare attorney
Partner

Robin Campbell co-leads our Data Privacy & Cybersecurity Group and is a member of our Healthcare Practice. Robin brings first-hand understanding of the day-to-day issues faced by clients, having been seconded to clients to manage privacy in-house three times, twice in the automotive sector and once in healthcare. Robin’s practice focuses on a wide array of privacy and security issues, including the development and implementation of information management strategies for the handling of personal information. Robin focuses on providing practical solutions for data...

202 457 6409
Shalin Sood, Squire Patton Boggs Law Firm, Washington DC, Cybersecurity Law Attorney
Associate

Shalin “Shawn” Sood is an associate in the Data Privacy & Cybersecurity Practice. Shawn advises clients on a variety of issues, including cybersecurity best practices and risk assessments, incident response programs and cybersecurity compliance. He also assists clients on compliance with the EU General Data Protection Regulation (GDPR) and establishing robust and thorough data privacy programs. He also has experience in representing international businesses in compliance and investigations from federal and state governments.

202-457-6183