The California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”), which we reported on here and here continues to make headlines as the California legislature fast-tracked a “clean up” bill to amend the CCPA before the end of the 2018 legislative session. In a flurry of legislative activity, the amendment bill (“SB 1121” or the “Amendment”) was revised at least twice in the last week prior to its passage late in the evening on August 31, just hours before the legislative session came to a close. The Amendment now awaits the governor’s signature.
Although many were hoping for substantial clarification on many of the Act’s provisions, the Amendment focuses primarily on cleaning up the text of the hastily-passed CCPA, and falls far short of addressing many of the more substantive questions raised by companies and industry advocates as to the Act’s applicability and implementation.
Nonetheless, SB 1121 contains a few significant revisions to the CCPA:
- No Attorney General Notice Requirement for Consumer Civil Actions
The most notable change is the demise of the Attorney General as the “gatekeeper” for consumer claims under the Act. While the Act generally provides for enforcement by the Attorney General, it establishes a limited private right of action for data breaches, including providing unprecedented statutory damages. SB 1121 removes the Act’s requirement that a consumer must first notify the Attorney General within 30 days of filing a civil action and wait six months to see if the Attorney General will choose to prosecute the case.
While the California Attorney General will continue to have tremendous influence over potential prosecutions under the Act, the amendment will no longer empower the Attorney General to halt a plaintiff’s case by prohibiting the private suit if the Attorney General decides to prosecute. This is good news for plaintiffs’ lawyers who are now free to move forward with a private right of action without any obligation to coordinate with the Attorney General. The change is also a win for the Office of the Attorney General, coming on the heels of California Attorney General Xavier Becerra’s letter on August 22 to Sen. Robert Hertzberg, D-Calif., and State Assemblyman Ed Chau, D-Calif., specifically requesting the removal of the Attorney General notification requirement as an “unnecessary requirement as the courts not the Attorney General decide the merits of private lawsuits.” The legislature appears to have listened.
For companies, however, the barrier to file a civil action is now lower than ever, and the potential reward, higher than ever. All in all, it is a recipe for more litigation following a data breach—more on this point below.
- Clarification on the Basis of Consumer Right of Action
The amendment also attempts to clarify that the civil actions consumers can pursue for unauthorized access and exfiltration, theft, or disclosure of their personal information, are limited to violations of “the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect personal information.” No other violations of any other section of the Act can give rise to a consumer’s private right of action.
Although the amendment clarifies one ambiguity, it leaves in place the more obvious one: the Act itself does not explicitly create any “duty to implement and maintain reasonable security procedures and practices…” So, where then does this duty come from? Though the CCPA contains a reference to Section 1798.81.5 (included in Title 1.81, the CA data breach statute), which does contain an obligation to provide “reasonable security” for certain types of personal information, it refers to that title only in the definition of the type of personal information, the exposure of which may give rise to a cause of action under the CCPA. The legislature did not address this question in SB 1121 and businesses might argue when the Act becomes effective that plaintiff’s claims fail if they cannot identify such a duty, independent of the Act itself.
- Six Month Delay in Attorney General Enforcement
The Amendment extends the period of time for the Attorney General to publish regulations implementing the Act until July 1, 2020 (six months after the CCPA’s effective date). In perhaps a delay of the inevitable, SB 1121 also prohibits enforcement of the Act by the Attorney General until July 1, 2020 or six months after publication of the regulations, whichever is sooner. This is good news for companies, allowing for additional time to implement necessary changes to comply with the Act.
- Civil Penalties for Attorney General Actions
The Amendment also clarifies the monetary penalties that can be assessed in a civil action brought by the Attorney General are limited to $2,500 for each violation, but rise to $7,500 for intentional violations. The Amendment leaves unchanged the provision providing a 30-day cure period before the Attorney General or consumer may initiate an action.
- Revision to the Definition of “Personal Information”
The updated definition of “personal information” emphasizes that the long list of identifiers are not considered to be “personal information” unless and to the extent that they can be linked to a particular consumer or household. This adjustment to the definition helps to clarify that data elements such as purchase history, browsing history, “information regarding a consumer’s interaction with a website, application or advertisement,” geolocation, and similar data are not PI unless they can be linked to a particular consumer or household.
- Some Clarification on Preemption and Exceptions
The Amendment helps clear up some conflict of law questions, clarifying that information collected, processed or disclosed pursuant to the Gramm-Leach-Bliley Act (“GLBA”) and the Driver’s Privacy Protection Act (“DPPA”) are exempt from the CCPA requirements (previously, the federal laws would govern when “in conflict” with the provisions of the CCPA). Similarly, the Amendment adds an exemption for HIPAA-covered entities, for information categorized as “protected health information” collected by covered entities and business associates under HIPAA, and for clinical trial data protected by the Federal Policy for the Protection of Human Subjects. The Amendment also revises the effective date of the preemption clause, Section 1798.80, establishing that the Act supersedes and preempts all rules, regulations, codes and ordinances adopted by local California municipalities, to take effect immediately upon the Amendment’s passage.
- All Attorney General Civil Penalties and Settlements Go to the Consumer Privacy Fund
The Amendment prescribes for any civil penalties assessed or settlement of an action to be deposited in the Consumer Privacy Fund with the intent to fully offset any costs incurred by the state courts and the Attorney General in connection with the Act. This means the previous forecasted formula breakdown for where these penalties will go is no longer at play, which should at least simplify for the Attorney General the management of these funds.
Future Amendments Expected. The revisions set out in SB 1121 fall far short of addressing a myriad of other questions and inconsistencies within the text of the CCPA, and as to how the CCPA should be read to align or preempt existing California law. More amendments are needed, and are expected to be addressed when the legislature reconvenes in early 2019. This may provide little comfort to companies both inside and outside of California, all of whom are eager for clarity on how the CCPA may impact their business.