California Adopts SB-1121 Amendments to Consumer Privacy Act
On Friday, the California legislature delayed enforcement of the California Consumer Privacy Act by six months and made various other technical corrections when it adopted SB-1121 before closing out its 2018 legislative session. The legislature also allocated $700,000 in the California budget on Thursday for the Attorney General to begin preparing for the new privacy law.
The California Consumer Privacy Act was adopted in June in order to avoid a November ballot initiative pushed by the Californians for Consumer Privacy. At the time, the co-sponsors spoke of further amending the act to make necessary technical corrections to clean up the grammar and clarify the law. The initial text of that bill, SB-1121, was released a few weeks ago. After comments by several stakeholders including business organizations, consumer groups and the California Attorney General, additional changes were made and the process has now been concluded for the year.
We summarized the major changes from the law in a blog post last week, but it is worth going over a few of them again:
The Attorney General’s Office was granted a one year extension on the creation of regulations surrounding the law – now due by July 1, 2020. The Attorney General had previously criticized the law for turning it into a regulatory body and not allocating the budget to hire the necessary professionals.
Enforcement by the Attorney General will begin six months after the Attorney General concludes its rulemaking process, but no earlier than January 1, 2020 and no later than July 1, 2020. However, SB-1121 did not delay implementation of the limited private right of action, which will give consumers the ability to bring a class action for a data breach resulting from the violation of a duty to implement and maintain reasonable security procedures.
Private Right of Action
The amendments to the class action section eliminated the notice requirement to the Attorney General and clarified that it was not a general right to a cause of action under the law. Class action plaintiffs will no longer need to notify the Attorney General and wait 30 days for a decision from the AG office about its plans.
Interaction with Other Laws
The bill now prohibits its application to the personal information collected, processed, sold or disclosed under a number of federal laws, as well as the Driver’s Privacy Protection Act of 1994 and the California Financial Information Privacy Act. The federal laws include the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, HIPAA, HiTech Act, Confidentiality of Medical Information Act, or the Federal Policy for the Protection of Human Subjects (known as the Common Rule). The banks and driver’s license information are however not excluded from the section allowing data breach class actions.
The 2019-2020 legislative session for California appears to start on December 3, 2018 based on the current calendar. The co-sponsors of the bill have said that they will consider more substantive amendments to the California Consumer Privacy Act during the 2019 legislative session. Given the reportedly heavy lobbying around the bill and the proposal for a federal privacy law, there could be additional changes to the California privacy law then. However, if the law is weakened too much, Californians for Consumer Privacy could decide to abandon its support of AB-375 and recollect signatures to put a new privacy proposal on the ballot in the future.
The biggest threat to California’s privacy law and hope for businesses right now is federal action by the Trump administration and Congress. There has been intense lobbying for federal preemption of state action (like California) over the past few months. Members of the Senate Commerce Committee have reportedly been working on at least two different pieces of legislation and the White House has said that it plans to float its own proposal this fall, although since none of them have been released it is not yet known whether they would preempt the California privacy law. When combined with the October talks about the Privacy Shield, it will be a busy few weeks considering privacy in Washington DC.
Other Blog Posts on the California Consumer Privacy Act:
PWC Survey on CCPA: Enterprise Compliance Expected at 52% by January 1, 2020
SB 1121 to Amend California Consumer Privacy Act Soon
California AG Objects to 5 Sections of CCPA Privacy Law
SB 1121 Won’t Make Substantive Changes to New California Privacy Law
SB 1121 Amendments Kickoff Debate Over California Consumer Privacy Act Changes
Expect AG to Issue California Privacy Regulations in June 2019
Will California’s Privacy Law Extend to the Rest of the Country?
Big Day for California Privacy Law
California to Pass New Privacy Law: CA Consumer Privacy Act
Improve Data Privacy for GDPR or CCPA with Clarip
The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.
Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.