Sep 52018

Clean-Up Bill Advances to Amend the New California Consumer Privacy Act

Colleen Theresa Brown, Alan Charles Raul, Sheri Porath Rockwell, Kate Heinzelman and Christopher Fonzone
, , ,

On Friday, August 31, the California legislature unanimously passed a host of “clean-up” amendments to the new California Consumer Privacy Act (CCPA), AB 375, as it set about addressing flaws and other concerns in the state’s groundbreaking data privacy law. These amendments are now awaiting Governor Brown’s signature.

These amendments follow closely on the heels of the State’s initial enactment of the CCPA in June.  The CCPA was drafted and became law with extraordinary speed, as legislators felt the need to enact the bill quickly in order to preempt a data privacy ballot initiative that had received enough signatures to be placed on California’s November ballot.  Given the law’s hasty drafting, there was broad agreement – even as the Governor was signing the CCPA into law – that revisions would be necessary to correct, at the very least, some of the plain drafting errors in the bill.

The Legislature passed the first round of such amendments last week in the hours before the legislative session came to a close.  The Amendments reflect input from a variety of sources, including industry groups as well as California’s Attorney General, who is tasked with both rulemaking and enforcement under the CCPA.  This round of changes may only be the first of several prior to the law’s effective date (January 2020).  While many of the revisions correct drafting errors, several address substantive issues that could have an impact on entities that conduct business in California.

Delayed Deadline for Regulations and Enforcement, But Not Compliance.   The CCPA will take effect on January 1, 2020 and businesses will need to be in compliance with the law at that time.  Yet under the amendments, the Attorney General will be able to wait until July 1, 2020, to promulgate final regulations under the Act.  The revisions also delay the earliest date on which the Attorney General may take enforcement actions until the earlier of July 1, 2020 or six months after final regulations are published.  This is significant as it is possible that entities will have limited time to align their compliance programs with the regulations before potential enforcement.

Industry groups had urged that the compliance date be pushed back to give businesses more time to comply with the CCPA after completion of the final regulations.  By imposing a deadline for rulemaking to be followed by enforcement shortly thereafter, the legislature may have created more uncertainty and put pressure on companies to build out and invest in compliance programs that may not necessarily conform to the prospective regulations.

Changes to the CCPA’s Interaction with Other Laws.  The CCPA’s original provisions regarding the interaction between the California law and federal laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) have caused confusion and consternation.  The amendments make several changes in this regard, although many may observe they did not yet go far enough in deferring to existing complex federal regulatory schemes.  First, the amendments will expressly extend an exemption for information collected by HIPAA-covered entities to information collected by HIPAA-regulated “business associates” as well.  They also clarify other aspects of the exemptions under the law for health information protected by federal and state law, and information that is covered by the GLBA, the Driver’s Privacy Protection Act (DPPA), and the California Financial Information Privacy Act.  In particular, the amendments now provide that the CCPA shall not apply to health care providers or covered entities under HIPAA “to the extent the provider or covered entity maintains patient information in the same manner” that it maintains medical information governed by the California Confidentiality of Medical Information Act or protected health information that is collected by a covered entity or business associate governed by the HIPAA regulations, as amended.   In addition, with the exception noted below related to private rights of action, the amendments provide that the CCPA “shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act” or the DPPA.  This new, broader language removes some of the prior ambiguity that limited the scope of the GLBA and DPPA exemptions to circumstances where the federal law “is in conflict with” the law, by striking the conditional “conflict” language.

Exemption for Clinical Trial Data.  Information collected as part of clinical trials that is already separately regulated is now exempted from the CCPA – a modification likely designed to avoid concerns about how the rights afforded to consumers under the CCPA might have impacted clinical trials.

Modifications to Private Right of Action.   Several of the amendments impact the CCPA’s private right of action for data breaches.  Significantly, these amendments “clarify that the only private right of action permitted under the act is the private right of action . . . for violations of unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.” However, the amendments also make it easier for consumers to avail themselves of this narrow private right of action.

  • Though consumer data disclosed pursuant to the GLBA or DPPA is not subject to the privacy provisions of the CCPA, the amendments permit consumers to bring suit under the data breach provisions of the CCPA regarding such data.
  • Consumers no longer have to notify the Attorney General before bringing suit pursuant to the CCPA’s limited private right of action.  Also deleted is the requirement that, after notifying the Attorney General, consumers wait 30 days to allow the Attorney General to decide whether to prosecute the violation itself or allow the consumer to proceed with its suit.  Under the amended statute, consumers must still provide businesses a 30-day notice and opportunity to cure, consumers need not undertake any other actions before filing suit under the CCPA.
  • Significantly, however, even after the above amendments, only the Attorney General is authorized to bring suit to enforce against alleged substantive violations of the CCPA’s privacy requirements.  As noted above, the private right of action is limited to a data breach context.

Reduction in Statutory Penalties.  The amendments reduce certain of the CCPA’s statutory penalties.  If the Attorney General brings suit against a company for failure to comply with the law, damages will be $2,500 per violation rather than the original law’s $7,500 per violation.  Intentional violations will, however, remain at the $7,500 level.

The Definition of “Personal Information”.  The amendments also clarify the statutory definition of “personal information” that is the subject of the law—but left the significant breadth of the definition intact.  The amendment clarifies that the different types of data included in the examples of “personal information” (e.g., biometric information) will only satisfy the definition if such data also meets the criteria at the beginning of the definition, which requires that the data “relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.  Note, however, that the definition of “consumer” was not amended, and remains any “natural person who is a resident of California.”  This definition would not appear to exclude employees or other individuals whose information is obtained by a business outside of a personal context or household-type transactions or relationships.

Immediate Preemption of Local Laws.  The CCPA already explicitly states that it “supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.”  The “clean-up” bill states that it seeks to “prevent the confusion created by the enactment of conflicting local laws regarding the collection and sale of personal information” and, therefore, makes local law preemption immediate upon the Governor’s signature of the bill.

Modification of Required Publicity of Right to Delete.  The CCPA grants consumers the right to request the deletion of personal information about the consumer collected by a business, and requires business to comply with verified requests to that effect (with certain exceptions).  The CCPA further required businesses that collect personal information about consumers to disclose the consumer’s deletion rights on its website or in its online privacy policy or policies.  Though the “clean-up” bill retains a requirement that businesses notify consumers of the right to delete, the bill removes the specific reference to where this disclosure must be located.

*          *          *

Considering the many calls for more substantive requests for amendment, the changes in this “clean-up bill” are ultimately fairly modest – except, arguably, with respect to the solid exemption now provided for GBLA-covered personal information.  However, interest remains in legislatively addressing the outstanding concerns of the scope of the law and its interaction with other regulatory frameworks. With these and other changes in place, the stage is now set for important regulatory developments down the road as well as potentially further substantive amendments when the legislature reconvenes in January 2019.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Sheri Porath Rockwell

Century City

sheri.rockwell@sidley.com

Kate Heinzelman

kheinzelman@sidley.com

Christopher Fonzone

cfonzone@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).