On September 23, 2018, California’s governor signed into law the first round of revisions to the California Consumer Privacy Act (CCPA), the most sweeping privacy legislation in this country. California enacted the CCPA in June and it takes effect on January 1, 2020. Inspired by the European Union’s General Data Protection Regulation, the California legislature initially drafted the CCPA in haste to avoid a ballot initiative containing more onerous provisions for businesses. Not surprisingly, the hurried and voluminous legislation contained a number of issues that ranged from drafting errors to significant enforcement and compliance hurdles. Accordingly, as expected, at the end of August, the legislature passed S.B. 1121, which contained several revisions to address some but not all of those issues, including a possible enforcement delay of up to six months.
CA Attorney General Concerns
Feedback from the state AG’s office on the burdens the CCPA imposed on its office prompted a number of the first round revisions. First, S.B. 1121 grants the AG’s office six additional months ‒ from January 1, 2020 to July 1, 2020 ‒ to promulgate the CCPA’s implementing regulations. Additionally, and most importantly for those businesses subject to the CCPA, S.B. 1121 also delays enforcement for six months from the date the AG adopts the regulations or until July 1, 2020, whichever comes first. Notably, this may create a challenging compliance position for businesses if the AG’s office adopts regulations at the end of its six-month extension. This will leave little or no time between the announcement of the new rules and the enforcement of those rules. Finally, based on the AG’s concern about additional burdens on its staff, S.B. 1121 removes the requirement that consumers must notify the AG’s office within 30 days of filing a private cause of action and that the AG respond to such notices.
Interaction with Other Privacy Laws
Originally, the CCPA exempted any information covered under the Gramm-Leach-Bliley Act (GLBA) or the Driver’s Privacy Protection Act (DPPA) from coverage under the CCPA, to the extent that the CCPA requirements conflicted with the GLBA or DPPA. S.B. 1121 erased that conflict qualification. Now, the CCPA exemption applies without qualification to GLBA and DPPA data, but if businesses process other data not protected by GLBA or DPPA, such businesses will still be subject to the CCPA for the other data they maintain.
Additionally, the original version of the CCPA inadequately addressed the intersection of the CCPA and federal and state health privacy laws. S.B. 1121 fixed these issues. First, S.B. 1121 expands the type of health information that the CCPA exempts to include information maintained by business associates under the Health Insurance Portability and Accountability Act (HIPAA), as opposed to just covered entities. Further, S.B. 1121 adds an exemption for “providers of health care” from complying with CCPA so long as they maintain health information as required by California’s Confidentiality of Medical Information Act and HIPAA. This exemption is good news for health care providers. As currently written, it appears to exempt health care providers from the CCPA in its entirety, as opposed to providing only a data-specific exemption. On a related health care front, S.B. 1121 also exempts clinical trial data that is subject to the Federal Policy for the Protection of Human Subjects and follows clinical practice guidelines.
Local Privacy Laws Preempted
Under the original version of the law, there were concerns about cities or towns passing laws that provide more or different privacy protections than the CCPA. For example, San Francisco had such a measure pending. S.B. 1121 eliminated this concern, as it now preempts any similar local efforts.
Definition of “Personal Information”
S.B. 1121 also clarifies that the list of examples in the CCPA of personal information will only qualify as personal information if the data element “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” While this remains the broadest definition of personal information in this country even after the revisions, the clarification tempers the scope of the definition of personal information even if only slightly.
Civil Penalty and Private Right of Action Clarifications
S.B. 1121 clarifies that the civil penalty for violations is up to $2,500 per violation or $7,500 per violation for intentional conduct. As for the private right of action, it applies only to data breaches and not all provisions of the CCPA.
More to Come
While S.B. 1121 addressed some of the concerns about the CCPA, many issues remain. Therefore, it is likely that California will enact more legislative fixes in the months to come. Stay tuned.