The California Attorney General is currently on a California tour soliciting public comment on the CCPA. To date, the Attorney General has held public forums in San Francisco (January 8th), San Diego (January 14th) and Riverside (January 24th) and will continue on to Los Angeles (January 25th), Sacramento (February 5th), and Fresno (February 13th). These hearings are being held pursuant to a CCPA requirement that the Attorney General “solicit broad public participation and adopt regulations to further the purposes” of the CCPA. Specifically, the Attorney General is directed to seek public feedback on the following areas: expanding the definition of “personal information,” establishing additional exceptions to compliance, establishing rules and procedures for facilitating consumer opt-out requests, just to name a few.
Attendees at the first two forums mostly focused on the need for clarification of:
- The meaning of “sale” of personal information;
- Whether “personal information” encompasses IP Address. Commenters raised concerns that companies that collect only IP addresses, may face a burden if they would need to start collecting other personal information in order to validate and verify consumer opt-out requests;
- The meaning of “homepage,” and whether the Opt-Out link/button needs to be on every page of a website or just the “homepage;”
- The monetary and numerical thresholds at which the CCPA applies;
- Circumstances that would allow companies to charge a consumer a different price, or provide a different level or quality of goods or services to the consumer. The law presently permits business to do this if the difference in price charged or quality of goods or services provided is reasonably related to the value provided by the consumer’s data; and
- The impact of the CCPA on loyalty programs, which could be construed as either “financial incentives” or discrimination.
Attendees also commented on the following areas:
- Scope of CCPA to HR: Commenters asked whether the CCPA applied to the collection of employee data for HR purposes
- GDPR: Given the time and expense business face in complying with the GDPR, consumer advocated for a safe harbor for GDPR compliance companies, or at least aligning the CCPA with the GDPR.
Because we are likely to see substantive changes to the CCPA following these public forums, we summarize the current state of the law to aid businesses beginning to formulate their compliance programs.
Background: California Passes Sweeping Consumer Privacy Law
On June 28, 2018, California enacted the California Consumer Privacy Act (CCPA or Act), a data privacy law allowing consumers to request that businesses disclose what information it collects about the consumer, the source of the information collected, and with whom it has shared the information. The CCPA also permits consumers to opt-out of the sale of their personal information. Furthermore, the ACT prohibits businesses from discriminating against consumers who exercise their rights under this law.
With CCPA implementation deadlines approaching, businesses should be cognizant of the amendments to the CCPA modified by SB 1121, which was signed into law on September 23, 2018. SB 1121 makes substantive changes and provides clarity on the following points:
Impact of SB 1121
- Modification of the Financial Institution Carve-Out
The CCPA when originally enacted, contained a carve out for financial institutions reading, “[t]his title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.” The new language from SB 1121 resolves some of the ambiguities. Namely, SB 1121 eliminates the phrase “if in conflict with that law” and adds the phrase “or the California Financial Information Privacy Act…” SB 1121 also adds that this subdivision shall not apply to Section 1798.150 which sets forth consumers’ private right of action in the event of a data breach. In other words, SB 1121 provides that the CCPA does not apply to “personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies, among others, and would also except application of the act to that information pursuant to the California Financial Information Privacy Act.”
Although this change provides clarity for entities subject to the GLBA, it in no way fully exempts them from the reach of the CCPA. This is because the GLBA’s definition of “nonpublic personal information” is much narrower than the CCPA’s definition of “personal information.” Thus, activity that falls outside the GLBA may well come within the CCPA’s purview.
- Changes to Enforcement and Effective Dates
The Act sets an operative date of January 1, 2020. Although the law becomes operative on the first of the year, SB 1121 provides that the California Attorney General has until July 1, 2020 to adopt regulations implementing the law. SB 1121 also clarifies that the California Attorney General may not enforce the Act until six months after publishing regulations under the Act or July 1, 2020, whichever date is sooner (“enforcement date”). Therefore depending on the complexing of the rulemaking process, it is possible that the regulations implementing the CCPA may not be in place on the operative date of January 1, 2020. However, SB 1121 provides little clarity as to whether the Attorney General may bring an enforcement action for violations occurring during the interim period after the operative date of January 1, 2020 but before the date the enforcement date.
In any case, this grace period set forth under the Act only applies to enforcement actions brought by the Attorney General, leaving open the possibility that private citizens may sue under the CCPA as early as the operative date.
- Clarification Regarding Private Right of Action
SB 1121 makes clear that consumer may only bring a private right of action for data breaches. This means that consumers may not sue for non-data breach related violations such as failure to give certain notices or disclosures. Although the SB-1121 makes clear that consumers may only sue under the Act in instances of a data breach, the possibility remains that consumer may use a non-data breach violation as a predicate act for purposes of bringing an action under the California UCL.
SB 1121 also does away with certain pre-suit requirements. Under the original Act, consumers were required to notify the California Attorney General, before bringing an action under the CCPA. Once notified, the Attorney General had the right to choose to prosecute the matter directly or disallow the case from proceeding altogether. Generally, SB 1121 bolsters consumers’ private right of action against offenders in that it eliminates the requirement that a consumer notify the Attorney General before bringing an action. Furthermore SB 1121 removes the Attorney General’s right to prohibit a consumer private right of action in the context of a data breach. However SB 1121 keeps the requirement that consumers must wait 30 days after alerting a business to any violations before initiating legal action,
- Clarification Regarding Penalties for Violations
SB 1121 clarifies that the penalties for intentional violation of the Act shall not excess $7,500 per violation and no more than $2,500 for an unintentional violation.