CCPA Update: Amendments Head to Governor’s Desk; Money Allocated for Regulations
Note: SB 1121 was signed into law on September 23, 2018.
On August 31, 2018, the California legislature unanimously passed a bill, SB 1121, amending the California Consumer Privacy Act (“CCPA”). While the bill does not change CCPA’s core compliance requirements, it does include some significant clarifications to the law, as well as technical corrections. The bill now awaits Governor Brown’s signature.
Following CCPA’s hasty enactment in June, there was broad agreement among industry groups, privacy advocates, and state government officials that the law needed to be amended to fix a number of drafting errors, such as erroneous cross-references and sentence fragments. In addition to making many of those corrections, SB 1121 would also amend CCPA in the following significant ways:
- Delayed enforcement: The California Attorney General (“AG”) would be prohibited from bringing enforcement actions until either July 1, 2020, or six months after the publication of final regulations issued under the law, whichever is sooner. This delay does not, however, delay the January 1, 2020 effectiveness of CCPA’s data breach privacy right of action.
- Broader exemptions for HIPAA—and GLBA—regulated information: The bill would extend the existing CCPA exemption for HIPAA covered entities to business associates as well, to the extent that they maintain “patient information” in the same manner as protected health information governed by HIPAA. Entities that process personal information regulated under the Gramm-Leach-Bliley Act (“GLBA”) would also be exempt from CCPA privacy requirements, but such information would remain subject to the law’s private right of action.
- Reduced civil fines for unintentional violations: The amendment would cap fines issued by the AG for non-compliance with the law at $2,500 per violation, or $7,500 per intentional violation.
- Fewer barriers to private right of action: The amendment would make it clearer that the law’s private right of action applies only to consumers whose personal information (as narrowly defined in the state’s breach notification law) was subject to unauthorized exfiltration, theft, or disclosure. However, it also would make it easier for consumers to bring such actions by removing the requirement to notify the AG before bringing a suit.
- Clarification of the definition of “personal information”: SB 1121 clarifies that the various categories of information listed in the definition of “personal information” only constitute “personal information” if they meet the other criteria listed in the definition – i.e., if they relate to a particular consumer or household.
SB 1121 waits alongside an Internet of Things (“IoT”) bill for the signature of the governor, who has until September 30th to sign or veto the amendment. In the meantime, he has signed into law another CCPA-related bill, SB 862, which allocates $700,000 and five new staff members to support the AG office’s efforts to promulgate regulations implementing CCPA. Bloomberg reports that the AG expects to issue final rules under the law by June 2019.