Amendments to California’s expansive Consumer Privacy Act of 2018 (“the Act”) include new provisions that may significantly impact the timing of enforcement and provide exemptions for large amounts of personal data regulated by other laws.
The Act, signed into law in June, is a sweeping data privacy law that regulates the processing of personal data of California residents. Because the Act was hastily passed in order to prevent a similar ballot initiative proceeding to a vote in the November elections, it was expected that the Act would undergo significant amendments before it enters into effect on January 1, 2020.
The first amendments were passed by the California State Legislature on August 31, 2018, in the form of SB-1121 (“the Bill”), and Governor Brown has until
September 30, 2018 to sign it. While SB-1121 is labeled as a “technical corrections” bill designed to address drafting errors, ambiguities, and inconsistencies in the Act, in fact, it creates new provisions in addition to those already contained within the Act.
Extension in Enforcement
One notable provision of the Bill is that it grants a six-month grace period from the date the California AG issues regulations or July 1, 2020, whichever is earlier, before enforcement actions can be brought. This extension only applies to the privacy requirements of the law and does not pertain to the data breach class action provisions (including the availability of statutory damages), which will go into effect on January 1, 2020.
If regulations are issued on or before July 1, 2019, an unlikely occurrence since the AG has been given an extension to develop those regulations until July 1, 2020, there will be no six-month grace period.
In any event, the starting date for the enforcement of the Act’s privacy provisions is now entirely unclear.
Another key effect of the Bill is that it fully exempts data that is regulated by the Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, HIPAA, the California Confidentiality of Medical Information Act, the clinical trials Common Rule, and the Driver’s Privacy Protection Act from the privacy requirements of the Act. However, these industries are still subject to the privacy provisions of the Act if they engage in activities falling outside of their applicable privacy regulations (except for the health care industry, if it treats all data as PHI, then it remains exempt as to all data). Nevertheless, these regulated industries are still subject to the data breach class action provisions of the Act.
The Bill includes some significant clarifications to the Act, including:
- Clarifying that data is only personal data if the data “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
- Clarifying that provisions allowing private causes of action only apply to data breaches and not the entire Act.
- Eliminating the California AG’s 30-day screening process for private causes of action.
- Noting that the Act preempts local laws on the day of its enactment not enforcement (effectively preempting a current San Francisco privacy ballot measure).
- Stating that the civil penalty for unintentional violations of the privacy provision of the Act is up to $2,500 per violation if the business fails to cure the violation, and up to $7,500 per violation if the violation is intentional.
- Allocating civil penalties and settlements reached pursuant to the Act to the California Consumer Privacy Fund and deleting the requirement that the jurisdiction which initiated the action receives 80 percent of such funds.
As we previously predicted, the Act will continue to evolve prior to its January 1, 2020 enactment. While the current Bill attempts to clarify the Act, it does not address all of the ambiguities and uncertainties. We anticipate further changes and guidance regarding the Act and will continue to monitor the latest developments.