The California legislature passed SB 1121, a bill to amend the California Consumer Privacy Act (“CCPA”), on Friday night, hours before the legislature recessed for the year. SB 1121 contained only a few substantive changes, despite advocacy from the business industry, consumer privacy organization, and the California Attorney General for bigger changes.
It was acknowledged by both consumer privacy advocates and the business community when the CCPA was passed in June that amendments would be necessary to clean up obvious drafting errors in the law and potentially to address certain issues where there had not been sufficient time for debate in advance of the law’s passage. State Senator Bill Dodd introduced SB 1121 on August 6, 2018, as clean-up legislation largely intended to fix typographical errors in AB 375. Several substantive changes were added during the legislative process, including:
The definition of “personal information” was revised to clarify that the 11 data elements listed in the definition are not necessarily personal data standing alone, and only constitute personal information if the element “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household” (§ 1798.140(o)(1)). The business community sought to more reasonably limit the definition to remove burdens when businesses have no means of associating data elements with a natural person. While the language is slightly helpful, the legislature declined to adopt industry’s proposed language or to remove other broad language in this definition, such as the inclusion of households as “identifiable” persons and the listing of probabilistic identifiers and inferences as elements.
HIPAA “covered entities” and health care providers under the California Medical Information Act (CMIA) are now exempted in their entirety, whereas previously those covered entities and health care providers were only exempt as far as they were collecting protected health information and medical information subject to HIPAA and CMIA respectively. However, the exclusion only applies “to the extent that the provider or covered entity maintains patient information in the same manner as medical information or protected health information” (§ 1798.145(c)(1)(B)). It is not clear that this is particularly beneficial, as the only patient information that covered entities have that is not governed by HIPAA is individually identifiable health information in employment records, student records, individuals deceased for 50 years or more, or information that has been exempted from HIPAA through designation as a hybrid entity, and the covered entity was likely not maintaining this patient information in compliance with HIPAA in the same manner as protected health information.
The revised bill exempts HIPAA business associates with respect to protected health information governed by HIPAA, but does not exempt business associates entirely. As a result, business associates who handle some health information on behalf of HIPAA covered entities, but have other health information that falls outside of HIPAA, will continue to face challenges associated with some but not all of their data being covered by the law.
Data collected from clinical trials will be exempt if collected as part of a trial that is subject to the Federal “Common Rule” Policy and follows certain good clinical practice guidelines (§ 1798.145(c)(1)(C)).
Personal information collected, processed, sold or disclosed under the Gramm-Leach Bliley Act (GLBA) and the Driver’s Privacy Protection Act (DPPA) is now exempt—whereas the prior version of the law only exempted the information to the extent the CCPA was in conflict with the these laws. However, entities that are subject to this law can still face private actions in certain circumstances if they experience data breaches. Further, the definitions of personal information contained in those laws is much narrower than that contained in the CCPA, and the law does not address collection of data by financial institutions (covered by GLBA) or state Departments of Motor Vehicles (covered by DPPA) where that data does not meet the definition of personal information in the underlying statute—for example, to the extent a bank uses analytic tools to collect IP addresses and visit information from website visitors. The GLBA exemption was also expanded to cover information regulated by the California Financial Information Privacy Act (§ 1798.145(e) and (f)).
Consumers are no longer required to notify the Attorney General prior to exercising their right to bring a private action against a company who has experienced a breach due to a failure to implement reasonable security measures. (§ 1798.150(b))
The consumer rights and business obligations of the law do not apply to the extent “they infringe on the noncommercial activities of a personal or entity” described in Article 1, Section 2(b) of the California Constitution. This section affords certain rights to publishers, editors, and reporters to refuse to disclose sources of information.
The fines that the Attorney General can seek in an action against a business for violation of the CCPA are reduced to $2,500 per violation, unless the violation was intentional in which case the violation remains at $7,500 (§ 1798.155(b)).
The amended bill also extends the deadline for the Attorney General to issue certain regulations required by the CCPA from Jan. 1, 2020 until July 1, 2020. The business compliance deadline of January 1, 2020 remains unchanged, though the Attorney General is prohibited from bringing any claims of violation against a company until either six months after promulgation of regulations or July 1, 2020, whichever is earlier. This creates an odd situation where businesses might have to comply with the law before necessary guidance on how to comply is issued, and means that businesses might be out of compliance and subject to enforcement immediately upon issuance of the regulations. Section 1798.180, which pre-empts local rules and regulations regarding collection and sale of personal information, was changed to be effective immediately.
SB 1121 also made a number of technical changes to AB 375, such as the hyphenation of “opt-out” and correction of a number of typographical errors.
Changes Not Included in SB 1121
A coalition of business community associations and the Attorney General both sought a wide range of changes to AB 375, few of which were adopted by the legislature.
In a letter dated August 22, 2018, to the California Legislature, the AG cited five “several unworkable obligations and serious operational challenges” imposed upon the AG’s Office by the CCPA. Three of the substantive changes in the law were adopted to address the AG’s concerns: removal of the requirement that private plaintiffs give notice to the AG prior to filing suit, extension of the timeframe for rulemaking, and reduction of civil penalties to $2,500 for unintentional violations of the CCPA, which aligns the penalties to the Unfair Competition Law. The legislature failed to address two additional concerns raised by the AG, specifically:
The requirements in § 1798.55 to provide opinions to “[a]ny business or third party” and an opportunity to cure violations of the CCPA is a requirement to provide free legal advice to private parties, which would be costly as well as create potential conflicts of interest amongst lawyers who are charged with protecting the consumers of California.
The private right of action granted to consumers is too limited and should cover all violations of the CCPA, not solely data breaches.
The legislature also paid little attention to a series of amendments proposed by a coalition of business groups, led by the California Chamber of Commerce, designed to fix aspects of the bill deemed “unworkable” by affected businesses, and thus avoid “negative consequences unintended by the authors.”
Letters from consumer privacy advocates generally pushed back on claims that the new law is unworkable for businesses, noting that many are already complying with the EU General Data Protection Regulation (“GDPR”) which it characterized as “more expansive.” The advocates did express a willingness to discuss certain substantive changes in 2019 when there was more time for debate, including (1) re-defining the definition of “consumers” to exclude employees, so long as the definition continues to include other individuals about whom a business may collect data, even those who do not purchase goods or services; (2) clarifying the definition of devices so as to not allow individuals who share devices to access each other’s data; and (3) clarifying the non-discrimination prohibition, if any confusion cannot be cleared up through regulations by the Attorney General.
What Happens Next?
The revised bill has passed both houses of the California Legislature and is now sitting with Governor Jerry Brown. If the Governor fails to act on the revised bill by September 30, the measure will become law even without his signature. The Governor typically has 12 days to take action, but because August 31 marked the end of the two-year legislative session in California, the California Constitution extends the period to the end of September.