Sixty-four days after the California Assembly and Senate hastily passed the landmark California Consumer Privacy Act (CCPA), the legislature passed SB 1121, which it termed a "technical corrections" bill. Next year, the legislature or the AG's Office must still grapple with a large number of drafting errors, as well as several practical problems and constitutional vulnerabilities in the CCPA.
In fact, SB 1121 is very short on technical corrections. It clarifies only a handful of the dozens of drafting ambiguities and drafting errors in the CCPA.
The legislation's principal effects are to (1) grant a six-month grace period after the Attorney General issues regulations or July 1, 2020 (whichever is earlier), before the privacy requirements of the CCPA may be enforced; and (2) fully exempt from the privacy requirements of the CCPA data regulated by the Gramm-Leach-Bliley Act, HIPAA, the clinical trials Common Rule, and the Drivers' Privacy Protection Act.
1. Partial and possible extension in enforcement
The possible extension is only for the privacy requirements of the law, and not for the data breach class action provisions of Civ. Code § 1798.150, which are scheduled to take effect on January 1, 2020. The extension is conditional – it applies only if the AG's office does not complete by July 1, 2019 its rulemaking under the CCPA (which will address at least verification standards for data subject requests to businesses).
This creates some uncertainty as to the effective date of the CCPA privacy provisions. The AG's Office has little experience as a privacy regulator and wrote to the legislature that it lacks the resources to conduct the rulemaking. What is more, because next year further changes are needed to the hastily-drafted CCPA and the legislature rarely passes legislation before summer, the AG's Office may decide to wait until late summer or fall of 2019 to issue rules. On the other hand, the AG's Office could receive funding and decide to move forward more quickly to complete a narrow rulemaking by July 1, 2019, or (less likely) it could issue rules in the first or second quarters of 2020, thereby giving businesses less than six months to accommodate their practices to the requirements in the AG's rules.
The bottom line: it is now less clear exactly when the CCPA privacy provisions will be enforced, although some delay beyond January 1, 2020 seems likely.
2. Expanded exemptions
The amended exemptions apply to the regulated data, thereby also exempting service providers and ecosystem partners to the extent that they are handling the regulated data, so that they do not need to respond to "do not sell" or access, deletion or data portability requests. However, all these industries (except the healthcare industry, to the extent that it treats non-regulated data the same as HIPAA or clinical trials regulated data) remain subject to the privacy provisions of the CCPA if they engage in activities falling outside of their sectoral privacy regulation. They are also subject to the data breach class action provisions of the CCPA. This means (1) they need to plan to mitigate data breach risk and (2) negotiations over service provider agreements will become more complex.
Nonetheless, the financial services, insurance, healthcare and clinical trials industries and their users (eg, the pharmaceuticals industry, with regard to clinical trials) as well as service providers can now breathe sighs of relief that they do not need to revamp their GDPR compliance programs to meet the somewhat different requirements of the CCPA as to the exempt data. However, it will be important for businesses in many of these industries to distinguish carefully between their federally regulated and other types of personal data.
3. Limiting the CCPA's First Amendment exception to non-commercial activities
When the CCPA passed, one of its sponsors had promised California newspapers that a technical corrections bill would contain an exception to lighten the law's burden on newspapers. Curiously, SB 1121 actually cuts back on a broad First Amendment exception in the original CCPA bill. This amendment limits the First Amendment exception in § 1798.145(k) so that it applies only to "non-commercial" activities and says nothing about whether news reporting by a media company is non-commercial activity. This is a surprising outcome, given that the legislature could have simply added the phrase "including newsgathering" to the First Amendment exception in the CCPA as enacted to provide clearer protections for newspapers.
The outcome reflects advocate concern about expansive interpretations of business First Amendment rights, including rights to communicate personal data to other entities. It is similar to the CCPA's very unusual exception to the definition of "research" in § 1798.40(s)(8) that excludes any research for a commercial purpose. (That exception appears intended to subject commercial research, but not non-commercial research, to personal data deletion requirements and to exclude disclosures of personal data to third parties for commercial research purposes from the business purpose exception for disclosures.)
These less favorable treatments of communications of personal data for commercial purposes, however, make the amended CCPA more vulnerable to First Amendment challenges by businesses under both commercial speech and fully protected speech theories. One is left to wonder whether they may boomerang on the advocates who support them.
4. Technical corrections
SB 1121 does contain contains several significant clarifying amendments.
1) clarifying a bit the sweeping list of data elements in the definition of personal data by clarifying that they are personal data only if the data element "identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household" (although even this limitation still goes far beyond federal law definitions of personal data and is operationally problematic)
2) clarifying that the private right of action applies only to data breaches, and not the act as a whole
3) clarifying that the civil penalty for unintentional violations of the privacy provision is up to $2,500 per violation if the business fails to cure an alleged violation
4) removing the Attorney General's 30-day screening/"gatekeeper" function for private rights of action
5) clarifying that the CCPA preempts local laws on the day of its enactment, not the day of its enforcement, thereby preempting a San Francisco privacy ballot measure.
a. Private right of action
Section 1798.150 of the CCPA left some ambiguity the private right of action in this subdivision applied only to the data breach section contained within section .150, or also to other "disclosures" of personal data under the privacy provisions of the law. SB 1121 amends 1798.150(c) to make clear that "The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title."
b. Civil penalty amounts
§ 1798.155(a) of the CCPA as passed referenced the civil penalty provisions of Section 17206 of the Business and Professions Code as the basis for penalties for non-intentional violations of the law. SB 1121 clarifies that "Any business…that violates this title shall be…liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or
seven thousand five hundred dollars ($7,500) for each intentional violation
Thus AG recovery for civil enforcement actions is up to $2,500 per violation, unless the Attorney General proves that the violation was intentional, and if so, the maximum penalties is up to $7,500 per violation.
c. Attorney General's screening role for class actions
AB 375 included provisions in its data breach section that required the Attorney General to be notified by a consumer bringing a data breach action, required the Attorney General to investigate the allegations, and provided that if the Attorney General acted within 30 days it could object to the action and the case would be dismissed. At the Attorney General's request, this section has been stripped from the bill. This will allow plaintiff's lawyers to bring a private action against a business for a data breach without clearing that action with the Attorney General. Because the Attorney General's Office did not want to play the role of screening potential lawsuits and even if willing to do so, would have been very unlikely to complete an investigation within 30 days, the practical effect of this change appears to be quite limited.
However, the CCPA provision allowing a business 30 days to cure any alleged violation has remained, giving businesses the ability in some circumstances to cure a data breach within 30 days and thereby to obtain dismissal of a class action.
d. Local preemption
Finally, SB 1121 fixes a significant gap in the effective date provision of the CCPA by making the provisions of the CCPA that supersede and preempt laws adopted by local municipalities operative on the date the bill becomes effective.
This batch of "technical amendments" to the CCPA does resolve some of the law's many uncertainties. However, largely because of the haste in which the law was prepared, the exact contours of the CCPA's requirements are taking significant time to come into focus. California citizens, privacy advocates and regulated businesses will need to wait until next year's legislative session and the Attorney General's rulemaking before they know how the new rights under the CCPA will work.
Learn more about the CCPA and these amendments by contacting either of the authors.
This article also appears on the IAPP's blog, Privacy Tracker.