On September 23, Governor Jerry Brown signed into law SB 1121, which amends the California Consumer Privacy Act (CaCPA). While many issues with CaCPA remain, SB 1121 addresses some of the initial concerns that have been raised about it.
The CaCPA is a new state law that grants consumers new rights with respect to their personal information. (See our prior alert regarding CaCPA.) The law applies to businesses that handle California residents’ personal information that are either larger than a certain size or are heavily reliant on selling consumer information, requiring them to inform consumers about what categories of personal information they maintain and are selling, as well as to give consumers a meaningful opportunity to opt out of the sale of their information. Among other provisions, the law also gives consumers a private right of action when companies experience a data breach.
Originally, CaCPA was a private voter initiative that was going to appear on the ballot in the November 2018 elections. However, after negotiations between the initiative organizers and legislators, a modified version was enacted legislatively on June 28, 2018, which means revisions can be made legislatively as well. Since that time both industry groups and consumer representatives have been lobbying for revisions to the original act. SB 1121 includes the first set of such revisions, with more possibly in the works as lobbying continues. In addition to fixing some grammatical errors and similar technical issues, SB 1121 does four main things:
- Changes Effective and Enforcement Dates. The original CaCPA was to be implemented on January 1, 2020. Under SB 1121, the Attorney General may not bring an enforcement action until six months after the publication of the Attorney General’s final implementation regulations or July 1, 2020, whichever is earlier. On the other hand, SB 1121 clarifies that the law’s provision preempting any competing legislation by California localities is effective immediately.
- Expands and Clarifies Exemptions for Certain Regulated Activities. SB 1121 clarifies the exemptions for data that is already protected by the Gramm-Leach-Bliley Act (“GLBA”), the Driver’s Privacy Protection Act (“DPPA”), and the Health Insurance Portability and Accountability Act (“HIPAA”). CaCPA’s original text exempted data handled pursuant to GLBA and DPPA only in cases where CaCPA conflicted with those laws. Now, data handled according to GLBA or DPPA guidelines is entirely exempt from CaCPA, and any entity governed by HIPAA is not subject to CaCPA at all.
- Exempts Data Covered by Non-Commercial Press Activities. SB 1121 clarifies that the CaCPA’s consumer rights and business obligations do not apply to the extent they may infringe on non-commercial activities of the press. However, the law may face challenges to the extent it infringes upon other activities protected under the First Amendment, including by targeting the information-selling activities.
- Eases Requirements For Private Right of Action. SB 1121 removes the requirement in that individuals in data breach cases must notify the Attorney General thirty days prior to filing suit under the CaCPA and give the Attorney General the opportunity to pursue the action. California’s Attorney General opposed this provision, which was seen as too restrictive for private rights of action. However, the bill also clarifies that the private right of action under CaCPA is limited to certain types of data security incidents, as set forth elsewhere in CaCPA, and does not provide a right related to alleged violations of “any other sections of this title.”
Going forward, there are likely to be additional rounds of revision, as legislators, lobbyists, and privacy experts all continue to scrutinize the law. In addition, CCPA requires the Attorney General’s office to promulgate implementation regulations. Once drafted, these will further clarify CaCPA’s substantive requirements.
While there are no hearings currently scheduled on CaCPA or related regulations, efforts to continue to mold it through less-formal means are proceeding apace. Because CaCPA purports to apply so broadly to many companies handling the data of California residents – even if the business is not established in California – it is critical to continue to be aware of changes in the law going forward. CaCPA’s provisions have the potential to impose huge liability on any company that handles consumers’ data – which, these days, is almost any company with a website – so any changes to enhance or restrict CaCPA may have a major effect on business.