Written by Michael Young
Last Friday, the California Senate and Assembly passed SB-1121, amending the California Consumer Privacy Act (“CCPA”) as enacted in June. We previously issued an advisory following the June enactment, and will host a webinar discussing the law (as now amended) on September 12. This blog post highlights some of the key amendments to the CCPA.
SB-1121 amends the CCPA as follows:
- Exemptions for Health Providers. The bill clarifies that the CCPA does not apply to protected health information (“PHI”) or medical information governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or California’s Confidentiality of Medical Information Act (“CMIA”). In addition, SB-1121 fully exempts health care providers from the CCPA to the extent that they maintain “patient information” in the same manner as medical information or protected health information governed by HIPAA or the CMIA. This creates a possible incentive for health care providers and health plans to bring non-PHI patient information, such as non-PHI processed through mobile applications or IoT devices, under existing HIPAA compliance programs.
- Broader Exemption under Gramm-Leach-Bliley. As originally enacted, the CCPA stated that it did not apply to “personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act . . . if it is in conflict with that law.” (Emphasis added.) The italicized clause in the original enactment created some legal uncertainty, potentially requiring companies to assess whether conflicts exist between the CCPA and the Gramm-Leach-Bliley Act (“GLBA”). SB-1121 deletes this italicized text, making clear for financial institutions that nonpublic personal information subject to GLBA or the California Financial Information Privacy Act is not subject to the CCPA. However, such information remains subject to the private right of action created by Section 1798.150 of the CCPA, which creates a right of action for data breaches of “personal information” under California’s data breach law.
- Civil Fines. SB-1121 makes clear that the California Attorney General may seek civil penalties of up to $2500 for each violation of the CCPA, or $7500 for intentional violations. These provisions make plain the intent of the CCPA as originally enacted by eliminating a difficult-to-interpret cross-reference to another California law. In addition, SB-1121 requires that, in connection with such an action by the California Attorney General, businesses violating the statute “shall be subject to an injunction.”
- New Process for Data Breach Claims. As noted above, the original CCPA created a private cause of action backed by statutory damages in connection with data breaches. In connection with these new statutory rights, the original CCPA required consumers’ bringing such a lawsuit to notify the California Attorney General. The CCPA empowered the Attorney General to intervene and prevent the consumer from proceeding with the lawsuit. SB-1121 deletes the provisions permitting the Attorney General to prevent consumer lawsuits resulting from data breaches.
- Enforcement Grace Period. SB-1121 prohibits the California Attorney General from enforcing the CCPA “until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” Thus, unless the California AG issues final regulations before that date, this provision gives companies a 6-month enforcement grace period. Note, however, that the grace period does not limit consumer’s private actions under section 1798.150 in connection with a security incident.
- Technical Edits. The CCPA as originally enacted contained a number of drafting mistakes, such as dangling subdivisions not properly connected to their introductory material and ungrammatical clauses. The bill fixes these technical issues and rearranges some sections slightly.
Although passed by both houses of the California legislature, SB-1121 will not become law until signed by California’s governor. The bill will have immediate effect amending the CCPA, which itself becomes operative on January 1, 2020. For convenience, you may download a redline comparison showing SB-1121’s changes to the substantive provisions of the CCPA as originally enacted.