As expected, the California Legislature has passed Senate Bill 1121 (introduced by Senator Bill Dodd) in an attempt to resolve drafting errors and clarify certain provisions of the California Consumer Privacy Act (CCPA) that was hastily passed back in June 2018. The CCPA is a major new state law that will affect the privacy landscape across California and the country. Learn more. Following its initial passage, the legislature confirmed its intent to make technical amendments to "clean up" the CCPA. After receiving feedback from various business groups, consumer groups and the California Attorney General (AG), Xavier Becerra, the legislature passed SB-1121 on Friday, August 31. Assuming that Governor Jerry Brown signs SB-1121 into law by the September 30 deadline, SB-1121 will officially amend various provisions of the CCPA such as the CCPA’s effective date, AG enforcement procedure and the CCPA’s applicability. Businesses potentially subject to this new law should keep a close eye on developments with the CCPA.

Changes to the CCPA:

Effective date and enforcement. Originally, the CCPA had an operative date of January 1, 2020. This operative date has not changed. However, the measure also precludes the AG from bringing an enforcement action under the CCPA until the passing of six months or after July 1, 2020, whichever is sooner. This six-month period intends to allow businesses time to ensure that they are compliant with the newly adopted regulations. Additionally, the one-year requirement for the AG to establish and publish certain rules and procedures will be eliminated. The AG will now have until July 1, 2020, to adopt implementing regulations meant to “further the purpose” of the CCPA (e.g., modifying the categories of data defined as “personal information”; carving out exceptions for conflicts with state or federal law; and setting out additional rules and procedures governing businesses’ compliance with consumers’ opt-out requests).

Elimination of gatekeeping function (notification to AG). Consumers will have the right to pursue a private action only as it pertains to security incidents described in California Civil Code section 1798.150(a). Unlike in the original version of the CCPA, consumers will no longer be obligated to notify the AG within 30 days of filing a private action. Additionally, they will no longer receive instruction by the AG on how to proceed based on their notice (e.g., notifying the consumer of the AG’s intent to pursue the action, instructing the consumer not to proceed with the action or ignoring the notification). This revision gives consumers a more unencumbered opportunity to pursue litigation against businesses for alleged violations of their privacy rights, instead of being filtered through the state government. Even though SB-1121 eliminates the requirement to notify the AG, consumers must still notify a business of any violations before they file an action.

Inapplicability to financial and health care institutions. To avoid confusion or potential conflicts with existing federal and state regulations, the CCPA will be inapplicable to certain financial and health care institutions. Specifically, SB-1121 prohibits the application of the CCPA to a financial institution that collects, processes, sells or discloses personal information pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act. SB-1121 also does not extend to protected health or medical information governed by the federal Health Insurance Portability and Accountability Act (HIPAA) or the California Confidentiality of Medical Information Act. The bill also provides some clarity in prohibiting the application of the CCPA to some clinical trials and health care providers covered by the Confidentiality of Medical Information Act. However, in some of these cases, the narrow private right of action does apply.

Moving forward

A final iteration of the CCPA is still a moving target. It is expected that the California Legislature will continue to make substantive changes to the law even after its effective date in light of developments in technology and evolving concepts of privacy and cybersecurity. Despite this rumored change, the private right of action contained in the CCPA survived the amendment process and the law contains massive incentives for class action lawyers to test its breadth in court. We will continue to monitor developments regarding the CCPA. This is certainly a development in U.S. privacy law to stay abreast of.