We recently published an Insight providing an overview of the California Consumer Privacy Act of 2018 (CCPA) and insights on what businesses need to know to prepare for it. Recently the California state legislature published a series of technical amendments to the law, which include some changes of which businesses should be aware.
Passed on August 24, the revision bill (SB 1121) contains 45 amendments, most of which are non-substantive in nature (e.g. correcting errors in the original bill such as inaccurate cross-references). While most of the substantive changes are minor, we identified a few that could affect your readiness plans.
Key changes
SB 1121 clarifies that identifiers specified in the CCPA are no longer automatically considered to fall under the definition of “personal information” — only if they can be connected with an individual or household.
The bill also includes clarifications to avoid conflict with several other regulations, including HIPAA, the Gramm-Leach-Bliley Act (covering information maintained by financial institutions), the Driver’s Privacy Protection Act (covering motor vehicle and driver’s license information), and the California Financial Information Privacy Act.
Additional revisions include the following:
- Consumers’ right to litigation under CCPA only applies to data breaches, not to violations under any other section.
- The CCPA will preempt local laws, but only after the bill goes into effect on January 1, 2020.
- The California Attorney General’s general enforcement of the law will begin “six months after the publication of final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” Attorney General Xavier Becerra has reportedly told Governor Brown that he expects to issue final rules under the law by June 2019 in anticipation of the January 1, 2020 enforcement date.
What SB 1121 has not changed
While the revisions of SB 1121 offer some clarification and refinement to the original CCPA requirements, the essence of what businesses must do to comply remains unchanged. On January 1, 2020, California residents will still have the right to request information about the data you collect, to access their data in a portable format, to request deletion of their data, and to pursue the other venues the CCPA provides.
Since CCPA covers the previous 12 months of records, most of these rights will relate to data sold or disclosed after January 1, 2019, keeping in mind the broader definition of personal data that includes inferences drawn — meaning that the law could attach to algorithms that companies have previously held as trade secret intellectual property. You must still have a business purpose justifying the use of personal information, provide opt-out capabilities, and meet the law’s other requirements by the enforcement date. You will also want to keep in mind the very specific training requirements required by CCPA. Last week, Governor Brown signed a state funding bill that will grant Attorney General Xavier Becerra $700,000 and five new staffers to help craft and implement the state’s sweeping new privacy law. (For a refresher of CCPA requirements and a list of recommended steps, see “An Overview of the California Consumer Privacy Act of 2018.”)
To meet these obligations — and those connected with future data privacy laws — it’s essential to know your data inside and out: how you use it, where it goes (internally and externally), where it resides, and who has access to it. We will probably see further clarification and minor edits to the law, particularly once the legislature begins a new session in January 2019, but the chances of revisions that will substantially impact your readiness plans remain unlikely.
Like what you see?
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.