On September 23, 2018, California’s governor signed into law the first round of revisions to the California Consumer Privacy Act (CCPA), the most sweeping privacy legislation in this country.  California enacted the CCPA in June and it takes effect on January 1, 2020.  Inspired by the European Union’s General Data Protection Regulation, the California legislature initially drafted the CCPA in haste to avoid a ballot initiative containing more onerous provisions for businesses.  Not surprisingly, the hurried and voluminous legislation contained a number of issues that ranged from drafting errors to significant enforcement and compliance hurdles.  Accordingly, as expected, at the end of August, the legislature passed S.B. 1121, which contained several revisions to address some but not all of those issues, including a possible enforcement delay of up to six months.

CA Attorney General Concerns

Feedback from the state AG’s office on the burdens the CCPA imposed on its office prompted a number of the first round revisions. First, S.B. 1121 grants the AG’s office six additional months ‒ from January 1, 2020 to July 1, 2020 ‒ to promulgate the CCPA’s implementing regulations.  Additionally, and most importantly for those businesses subject to the CCPA, S.B. 1121 also delays enforcement for six months from the date the AG adopts the regulations or until July 1, 2020, whichever comes first.  Notably, this may create a challenging compliance position for businesses if the AG’s office adopts regulations at the end of its six-month extension.  This will leave little or no time between the announcement of the new rules and the enforcement of those rules.  Finally, based on the AG’s concern about additional burdens on its staff, S.B. 1121 removes the requirement that consumers must notify the AG’s office within 30 days of filing a private cause of action and that the AG respond to such notices.

Interaction with Other Privacy Laws

Originally, the CCPA exempted any information covered under the Gramm-Leach-Bliley Act (GLBA) or the Driver’s Privacy Protection Act (DPPA) from coverage under the CCPA, to the extent that the CCPA requirements conflicted with the GLBA or DPPA. S.B. 1121 erased that conflict qualification.  Now, the CCPA exemption applies without qualification to GLBA and DPPA data, but if businesses process other data not protected by GLBA or DPPA, such businesses will still be subject to the CCPA for the other data they maintain.

Additionally, the original version of the CCPA inadequately addressed the intersection of the CCPA and federal and state health privacy laws. S.B. 1121 fixed these issues.  First, S.B. 1121 expands the type of health information that the CCPA exempts to include information maintained by business associates under the Health Insurance Portability and Accountability Act (HIPAA), as opposed to just covered entities.  Further, S.B. 1121 adds an exemption for “providers of health care” from complying with CCPA so long as they maintain health information as required by California’s Confidentiality of Medical Information Act and HIPAA.  This exemption is good news for health care providers.  As currently written, it appears to exempt health care providers from the CCPA in its entirety, as opposed to providing only a data-specific exemption.  On a related health care front, S.B. 1121 also exempts clinical trial data that is subject to the Federal Policy for the Protection of Human Subjects and follows clinical practice guidelines.

Local Privacy Laws Preempted

Under the original version of the law, there were concerns about cities or towns passing laws that provide more or different privacy protections than the CCPA. For example, San Francisco had such a measure pending.  S.B. 1121 eliminated this concern, as it now preempts any similar local efforts.

Definition of “Personal Information”

S.B. 1121 also clarifies that the list of examples in the CCPA of personal information will only qualify as personal information if the data element “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” While this remains the broadest definition of personal information in this country even after the revisions, the clarification tempers the scope of the definition of personal information even if only slightly.

Civil Penalty and Private Right of Action Clarifications

S.B. 1121 clarifies that the civil penalty for violations is up to $2,500 per violation or $7,500 per violation for intentional conduct. As for the private right of action, it applies only to data breaches and not all provisions of the CCPA.

More to Come

While S.B. 1121 addressed some of the concerns about the CCPA, many issues remain. Therefore, it is likely that California will enact more legislative fixes in the months to come.  Stay tuned.

Print:
EmailTweetLikeLinkedInGoogle Plus
Photo of Dena M. Castricone Dena M. Castricone

Dena M. Castricone, CIPP/US is the chair of the Privacy and Cybersecurity group and a member of the Long Term Care and Health Care groups.  She also serves as Chair of the firm’s Women Expanding Business initiative and co-chair of the firm’s Pro Bono Committee.  Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.

As the Chair of the Privacy and Cybersecurity group and a Certified Information Privacy Professional (CIPP/US), Dena provides the full complement of data breach coaching services to business and health care clients including breach notification to individuals and various government entities.  Related to data breaches, she also counsels clients on the creation of information security, incident response plans and other proactive measures.  Additionally, Dena advises clients on compliance with state, federal and international privacy laws including the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) as well as many others. Dena has written extensively on privacy and cybersecurity issues and she is the Co-Editor of Privacy and Cybersecurity PerspectivesRead More

Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.