Less than three months ago, California enacted the California Consumer Privacy Act of 2018 (“CCPA”). Industry and privacy watch groups alike have scrutinized the law. This summer saw fierce negotiations all in the name of improving the CCPA. Last Friday, on August 31, 2018, the California legislature passed SB 1121 to amend the CCPA.
The CCPA applies to for-profit entities that conduct business in California. It has an expansive definition of personal information, and grants California residents a number of new rights, including rights to request access to and deletion of certain data, and to opt-out of the sale of data. For a more detailed summary of the CCPA, please see our previous blog post.
SB 1121 largely preserves the substance of the CCPA, but it contains the following technical edits:
- Tolled AG Enforcement. Under the original CCPA, implementation was delayed until January 1, 2020. Under SB 1121, the Attorney General may not bring an enforcement action until six months after the publication of the Attorney General’s final implementation regulations or July 1, 2020 — whichever is earlier. This tolled AG enforcement does not affect the timing of private litigation, which is limited to certain data security breach scenarios.
- Clarified Exemptions for Certain Regulated Activities. SB 1121 clarified exemptions for data already regulated under the Gramm-Leach-Bliley Act (“GLBA”), the Driver’s Privacy Protection Act (“DPPA”), and the Health Insurance Portability and Accountability Act (“HIPAA”). As originally enacted, the CCPA exempted data handled pursuant to the GLBA and the DPPA only if the CCPA conflicted with those laws. Under SB 1121, data handled pursuant to the GLBA and DPPA is exempt from the CCPA – period. SB 1121 clarifies that the CCPA does not apply to a provider of health care or another entity governed by HIPPA. SB 1121 also clarifies that the CCPA does not apply to information collected (1) by an entity governed by HIPPA or (2) as part of a clinical trial.
- Private Right of Action. SB 1121 limits private rights of action to situations which meet the following two characteristics: (1) there is a data security breach involving unredacted or unencrypted personal information and (2) the breach was caused by the company’s failure to maintain reasonable security measures. SB 1121 notes that there is no private right of action when the company cures the alleged violation within thirty days and provides the consumer an express written statement that the violations have been cured and no further violations of the act shall occur. It also eliminates the requirement that potential plaintiffs notify the Attorney General of their suit. The Attorney General requested that this requirement be deleted in his August 22, 2018 letter.
- Press Activities and the First Amendment. SB 1121 clarifies that the CCPA’s consumer rights and business obligations do not apply to the extent they infringe on non-commercial activities of the press. The law remains vulnerable to the extent it infringes upon other activities protected under the First Amendment.
- Local Law Conflicts. SB 1121 adds a clause to prevent confusion created by the enactment of conflicting local laws; that clause takes effect immediately.
The CCPA requires the Attorney General’s office to promulgate implementation regulations, which will further clarify the CCPA’s substantive requirements. In the meantime, SB 1121 awaits the governor’s signature.
Update September 6, 2018: This post was updated to reflect the new implementation dates for the private right of action and preemption provisions.