On September 23, 2018, California Governor Jerry Brown signed into law SB-1121, a bill that makes several amendments to the Golden State’s landmark Consumer Privacy Act (“CCPA”). California enacted the CCPA in June after legislators reached a last-minute compromise with a group of privacy activists who would have put a more stringent data protection measure on the November ballot. Given the hasty enactment of the law, we expected that the legislature would amend the CCPA before it becomes effective in 2020. SB-1121 is the first such amendment, and it makes several changes to the CCPA that businesses should be aware of.
- Effective Date: The CCPA comes into effect on January 1, 2020 and SB-1121 does not change that, though it does add two caveats. First, it clarifies that the CCPA immediately preempts data privacy laws adopted by localities. Second, the new bill gives the Attorney General until July 1, 2020 to promulgate regulations for the CCPA, and delays the initiation of any enforcement actions “until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” Notably, SB-1121 does not contain a parallel provision delaying consumer civil actions beyond the CCPA’s January 1, 2020 effective date.
- Private Right of Action: The CCPA authorizes civil actions against businesses that fail to “implement and maintain reasonable security procedures and practices,” when such failures lead to “an unauthorized access and exfiltration, theft, or disclosure” of the consumer’s personal information. SB-1121 clarifies that the above is the only private right of action conferred by the statute. What is more, SB-1121 eliminates the original CCPA’s requirement to notify the Attorney General within 30 days so that her office might prosecute or terminate the action.
- Attorney General Actions: SB-1121 makes a number of small changes to the Attorney General’s ability to bring civil enforcement actions. Most notably, the amendments cap civil penalties at $2,500 for each unintentional violation of the CCPA and $7,500 for each intentional violation. SB-1121 also clarifies that the Attorney General may seek injunctive relief in a civil enforcement action.
- Disclosures – The Right to Delete: The CCPA gives consumers the right to request that a business delete “any personal information about the consumer which the business had collected from the consumer,” with some exceptions. The law also requires businesses to disclose that right to consumers. SB-1121 clarifies that such disclosures must occur “in a form that is reasonably accessible to consumers.”
- Exceptions for Regulated Businesses: The CCPA does not apply to information that is subject to regulation by certain other federal and state laws. For example, the Act exempts information that is covered by statutes such as HIPPA and the Gramm-Leach-Bliley Act, to the extent that the CCPA is in conflict with those laws. SB-1121 revises and clarifies the scope of the CCPA’s exemptions in such situations.
These amendments provide some clarity on the implementation and scope of the CCPA, as well as the duties and liabilities businesses face under the law. Still, as interested parties continue to assess the law’s impact on businesses and consumers, expect to see one or more rounds of further housekeeping amendments before the law comes into force.