On Friday, August 31, the California legislature unanimously passed a host of “clean-up” amendments to the new California Consumer Privacy Act (CCPA), AB 375, as it set about addressing flaws and other concerns in the state’s groundbreaking data privacy law. These amendments are now awaiting Governor Brown’s signature.
These amendments follow closely on the heels of the State’s initial enactment of the CCPA in June. The CCPA was drafted and became law with extraordinary speed, as legislators felt the need to enact the bill quickly in order to preempt a data privacy ballot initiative that had received enough signatures to be placed on California’s November ballot. Given the law’s hasty drafting, there was broad agreement – even as the Governor was signing the CCPA into law – that revisions would be necessary to correct, at the very least, some of the plain drafting errors in the bill.
The Legislature passed the first round of such amendments last week in the hours before the legislative session came to a close. The Amendments reflect input from a variety of sources, including industry groups as well as California’s Attorney General, who is tasked with both rulemaking and enforcement under the CCPA. This round of changes may only be the first of several prior to the law’s effective date (January 2020). While many of the revisions correct drafting errors, several address substantive issues that could have an impact on entities that conduct business in California.
Delayed Deadline for Regulations and Enforcement, But Not Compliance. The CCPA will take effect on January 1, 2020 and businesses will need to be in compliance with the law at that time. Yet under the amendments, the Attorney General will be able to wait until July 1, 2020, to promulgate final regulations under the Act. The revisions also delay the earliest date on which the Attorney General may take enforcement actions until the earlier of July 1, 2020 or six months after final regulations are published. This is significant as it is possible that entities will have limited time to align their compliance programs with the regulations before potential enforcement.
Industry groups had urged that the compliance date be pushed back to give businesses more time to comply with the CCPA after completion of the final regulations. By imposing a deadline for rulemaking to be followed by enforcement shortly thereafter, the legislature may have created more uncertainty and put pressure on companies to build out and invest in compliance programs that may not necessarily conform to the prospective regulations.
Changes to the CCPA’s Interaction with Other Laws. The CCPA’s original provisions regarding the interaction between the California law and federal laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) have caused confusion and consternation. The amendments make several changes in this regard, although many may observe they did not yet go far enough in deferring to existing complex federal regulatory schemes. First, the amendments will expressly extend an exemption for information collected by HIPAA-covered entities to information collected by HIPAA-regulated “business associates” as well. They also clarify other aspects of the exemptions under the law for health information protected by federal and state law, and information that is covered by the GLBA, the Driver’s Privacy Protection Act (DPPA), and the California Financial Information Privacy Act. In particular, the amendments now provide that the CCPA shall not apply to health care providers or covered entities under HIPAA “to the extent the provider or covered entity maintains patient information in the same manner” that it maintains medical information governed by the California Confidentiality of Medical Information Act or protected health information that is collected by a covered entity or business associate governed by the HIPAA regulations, as amended. In addition, with the exception noted below related to private rights of action, the amendments provide that the CCPA “shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act” or the DPPA. This new, broader language removes some of the prior ambiguity that limited the scope of the GLBA and DPPA exemptions to circumstances where the federal law “is in conflict with” the law, by striking the conditional “conflict” language.
Exemption for Clinical Trial Data. Information collected as part of clinical trials that is already separately regulated is now exempted from the CCPA – a modification likely designed to avoid concerns about how the rights afforded to consumers under the CCPA might have impacted clinical trials.
Modifications to Private Right of Action. Several of the amendments impact the CCPA’s private right of action for data breaches. Significantly, these amendments “clarify that the only private right of action permitted under the act is the private right of action . . . for violations of unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.” However, the amendments also make it easier for consumers to avail themselves of this narrow private right of action.
- Though consumer data disclosed pursuant to the GLBA or DPPA is not subject to the privacy provisions of the CCPA, the amendments permit consumers to bring suit under the data breach provisions of the CCPA regarding such data.
- Consumers no longer have to notify the Attorney General before bringing suit pursuant to the CCPA’s limited private right of action. Also deleted is the requirement that, after notifying the Attorney General, consumers wait 30 days to allow the Attorney General to decide whether to prosecute the violation itself or allow the consumer to proceed with its suit. Under the amended statute, consumers must still provide businesses a 30-day notice and opportunity to cure, consumers need not undertake any other actions before filing suit under the CCPA.
- Significantly, however, even after the above amendments, only the Attorney General is authorized to bring suit to enforce against alleged substantive violations of the CCPA’s privacy requirements. As noted above, the private right of action is limited to a data breach context.
Reduction in Statutory Penalties. The amendments reduce certain of the CCPA’s statutory penalties. If the Attorney General brings suit against a company for failure to comply with the law, damages will be $2,500 per violation rather than the original law’s $7,500 per violation. Intentional violations will, however, remain at the $7,500 level.
The Definition of “Personal Information”. The amendments also clarify the statutory definition of “personal information” that is the subject of the law—but left the significant breadth of the definition intact. The amendment clarifies that the different types of data included in the examples of “personal information” (e.g., biometric information) will only satisfy the definition if such data also meets the criteria at the beginning of the definition, which requires that the data “relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. Note, however, that the definition of “consumer” was not amended, and remains any “natural person who is a resident of California.” This definition would not appear to exclude employees or other individuals whose information is obtained by a business outside of a personal context or household-type transactions or relationships.
Immediate Preemption of Local Laws. The CCPA already explicitly states that it “supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.” The “clean-up” bill states that it seeks to “prevent the confusion created by the enactment of conflicting local laws regarding the collection and sale of personal information” and, therefore, makes local law preemption immediate upon the Governor’s signature of the bill.
* * *
Considering the many calls for more substantive requests for amendment, the changes in this “clean-up bill” are ultimately fairly modest – except, arguably, with respect to the solid exemption now provided for GBLA-covered personal information. However, interest remains in legislatively addressing the outstanding concerns of the scope of the law and its interaction with other regulatory frameworks. With these and other changes in place, the stage is now set for important regulatory developments down the road as well as potentially further substantive amendments when the legislature reconvenes in January 2019.