California Legislature Passes Amendments to the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is a major new state law poised to affect the privacy landscape not just in California, but in the U.S. as a whole. (For a detailed overview of the CCPA, read our previous post.) On August 31, the California legislature passed several amendments to the CCPA that will have a significant impact on its implementation. The amendments, which are set out in Senate Bill 1121, may be summarized as follows:
Changes to Effective and Enforcement Dates. As originally drafted, the CCPA was set to become operative on January 1, 2020, and SB 1121 preserves this operative date. However, the bill clarifies that the CCPA will go into effect immediately upon the bill being signed into law in order to prevent California localities from passing conflicting laws prior to the January 1, 2020 operative date. Practically speaking, this means that although the CCPA will go “into effect” and become California state law immediately, its directives still will not become operative until January 1, 2020.
That being said, the California Attorney General will not necessarily be able to enforce the law until after January 1, 2020, as the bill also changes the date by which the Attorney General is expected to publish implementing regulations. The CCPA requires the Attorney General to adopt implementing regulations meant to “further the purpose” of the law and may, for example, update the categories of data considered to be “personal information” under the law in order to address changes in technology; establish exceptions required to comply with state or federal law; and set out rules and procedures governing businesses’ compliance with consumers’ opt-out requests. SB1121 pushes the date by which the Attorney General must publish those regulations by six months, from January 1, 2020 to July 2, 2020. Additionally, the bill precludes the AG from bringing a CCPA enforcement action until six months after the publication of the final regulations or July 1, 2020, whichever is sooner. This may give companies some lead time to ensure that they are in compliance with the regulations, depending on when those regulations are published.
Elimination of a Notification Requirement. The CCPA provides a private right of action, meaning it allows individuals to pursue their own lawsuits (rather than wait for a regulatory enforcement action) in instances where company suffers a data breach attributable to the company’s failure to implement reasonable security measures. The CCPA originally required consumers pursuing a private action to notify the Attorney General within 30 days of filing that action. The law then gave the Attorney General 30 days to take one of three actions: notifying the consumer of the AG’s intent to pursue the action, instructing the consumer not to proceed with the action, or ignoring the notification (which would allow the consumer to proceed). However, the bill eliminates a consumer’s duty to notify the AG. A consumer is still required to notify a business of any violations he or she detects 30 days before initiating an action against the company.
Clarifications as to Entities Exempted from the CCPA. Certain companies subject to other privacy requirements in the federal Gramm-Leach-Bliley Act, the federal Health Insurance Portability and Accountability Act, the California Financial Information Privacy Act, and other sector-specific laws initially were concerned that CCPA could impose conflicting requirements on them. The bill clarifies that data handled pursuant to, and covered entities subject to, certain specific laws – specifically the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act, and the California Financial Information Privacy Act – are not subject to the CCPA. The bill also clarifies that some clinical trials, and healthcare providers covered by the Confidentiality of Medical Information Act – a California state law that supplements HIPAA privacy requirements – do not need to comply with the CCPA. However, in some of these cases, CCPA’s narrow private right of action is still available.
As of the time of writing, SB1121 is sitting on Governor Brown’s desk awaiting signature, meaning it has not yet become law. Assuming the bill becomes law, additional amendments still may be forthcoming between now and the time the CCPA becomes enforceable.