As discussed in our client update of July 9, 2018, California expanded its already extensive data privacy legal framework with the enactment of the California Consumer Privacy Act of 2018 (CCPA). Given its breadth and scope, the CCPA will reach not only California markets, but U.S. markets as a whole. On September 23, the California governor approved Senate Bill (SB) 1121, which amended key aspects of CCPA that will impact organizations that conduct business in California. Although the CCPA will not become effective until 2020, organizations should begin evaluating the CCPA’s impact on their internal and external operations and begin to take steps towards developing necessary compliance programs. The most significant amendments to the CCPA (from SB 1121) are as follows:
Direct Private Right of Action. The CCPA allows not only for regulatory enforcement, but also for a private right of action in certain circumstances where a company has failed to implement data security measures required under the CCPA. Prior to SB 1121, a consumer would have to notify the Attorney General’s Office within 30 days of filing a private right of action, and then was required to wait an additional 30 days post-notification, to allow the Attorney General’s Office to decide whether to prosecute the violation itself or allow the consumer to proceed with his/her own suit. SB 1121 has removed that notification requirement. Therefore, under the amended version of the CCPA, “consumers,” which is defined broadly to mean any identifiable California resident, are permitted to undertake private actions for data privacy matters without notifying the attorney general. This is significant because consumers are therefore no longer required to wait 30 days after notifying the Attorney General’s Office prior to proceeding with their own suits.
Health Care Providers and Associates. Under SB 1121, health care providers and other entities that are legally required to adhere to the Health Insurance Portability and Accountability Act (HIPAA) are now exempt from the CCPA “to the extent that the provider or covered entity maintains patient information in the same manner as medical information or protected health information” pursuant to HIPAA. In addition, with the adoption of SB 1121, the CCPA now provides an exemption for information collected as part of a clinical trial, so long as that clinical trial is conducted in accordance with federal policy and specified clinical practice guidelines. [Note: SB 1121 did not alter the CCPA’s provision that similarly excludes from its applicability personal information that is collected and processed pursuant to the Gramm-Leach-Bliley Act.]
(Possible) Reduction in Fines. SB 1121 has reduced the fines that the California attorney general may seek pursuant to a regulatory enforcement action. Initially, the attorney general could seek $7,500 for a violation of the CCPA. Now, under SB 1121, the fines have been reduced to $2,500 per violation, unless there is evidence of the violation being intentional, in which case the fine could be as much as $7,500.
Enforcement and Compliance Date. The CCPA has extended the Attorney General’s Office deadline to publish the CCPA regulations from January 1, 2020 to July 1, 2020. This is consequential because although the CCPA is effective immediately upon signing, SB 1121 revised the enforcement date, allowing the attorney general to enforce the CCPA regulations either six months from the date that the final regulations are published or on July 1, 2020, whichever is earlier. This change in the enforcement date may allow businesses additional time to adjust and take steps in order to comply with CCPA’s regulations.
What’s Next for the CCPA?
It is likely that these amendments are the first of many as it is foreseeable that businesses will push for changes to the law when the California Legislature reconvenes in January 2019. One potential amendment being discussed within the business community is to narrow the CCPA’s definition of “personal information.” Although SB 1121 provided a new definition of personal information that has been adopted into the CCPA, it is still defined more broadly than in other relevant contexts, such as in personal data breach notification laws. For example, in the context of personal data breach notification statutes, the term “personal information” is often defined in a manner limited to an individual’s name in connection with his/her Social Security number, driver license numbers, financial data, or other specific identifying information. This more narrow definition of personal information has been adopted to account for the fact that the risk of identity theft and fraud is heightened when such information is disclosed in an authorized manner. SB 1121 defines personal information as anything that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” The breadth and ambiguity of this definition makes it difficult to determine what information would or would not qualify as personal information within the meaning of the law. This is just one area of the law that could potentially be amended to bring clarity to businesses and consumers.