The California Consumer Privacy Act of 2018 (“CaCPA”) will be implemented January 1, 2020, and as we anticipated, the regulation continues to evolve. On August 27, the California legislature published the first amendments to the pending legislation. We previously wrote a comprehensive overview of the CaCPA in its original form here.
Here are some key-takeaways from the recent substantive amendments (note that though the revised bill includes 45 amendments, many simply address technical errors):
- Re-defining “Personal Information”: The new bill revises the definition of personal information, but it remains extremely broad by encompassing information that could be reasonably linked, even indirectly, with a particular person or household. However, the revision may slightly lighten the burden on companies because it adds language clarifying that its list of PI examples (e.g. unique identifiers, IP addresses, geolocation data) are not necessarily PI, but the type of data that is only PI “if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
- Expanding HIPAA/Adding Clinical Trials Exemption: The revised bill now covers “business associates” as well as covered entities stating that information exempt from the law includes “protected health information that is collected by a covered entity or business associate governed by the privacy, security and breach notification rules issued by” the U.S. Department of Health and Human Services. The amendments also add a new clinical trial exemption that applies to data from trials that are subject to the Federal Policy for the Protection of Human subjects and follow certain leading clinical practice guidelines.
- GLBA/DPPA Revisions: The revised bill removes the contingency that the CaCPA only exempts GLBA and DPPA data where in “conflict” with those statutes and also provides that those exemptions will not apply to the provision giving consumers the right to sue for certain data breaches. The bill also carves out a new similar exemption for data collected under the California Financial Information Privacy Act.
- Limited Private Right of Action: The new bill adds express language to clarify the limits to consumers’ private right of action stating: ““The cause of action established by this section [1798.150] shall only apply to violations as defined in subdivision (a) [breaches] and shall not be based on violations of any other section of this title.”
- Preempts Local Lawmaking Before 2020 Implementation Date: The bill previously preempted local laws regulating collection and sale of consumer PI, but now clarifies that this rule “shall be operative on the effective date of the act.” In other words, once the bill becomes law.
- Limits Penalty to $7,500: Rather than referencing and incorporating Section 17206 of the Business and Professions Code to assess a civil penalty, the revised bill limits the AG’s recovery to $7,500 per violation.
- Revised Timing and Delayed Attorney General Regulations: The revised bill addresses some concerned raised by the Attorney General in a public letter, for example: providing that all civil penalties collected under the CaCPA will be used by the AG and courts to offset costs; deferring the AG’s obligation to adopt regulations to July 1, 2020; and delaying the AG’s right to enforce the CaCPA until July 1, 2020. It is not clear whether the AG can pursue conduct occurring between January and July or before it adopts regulations. So, these timing changes do not mean that companies should not hold out for AG guidance or otherwise delay any compliance efforts.
As we previously wrote, there still appears to be an opportunity to engage directly with the legislature process to help refine the CCPA (as groups have done to facilitate this recent amendment). And, there remains at least the possibility of pre-emptive federal legislation. As we wait and see how provisions evolve and monitor any Attorney General guidance, the CCPA will undoubtedly take significant compliance and companies should not drop this from their radar.