SB 1121 Won’t Make Substantive Changes to New California Privacy Law

Last week, we posted about California Senate Bill 1121, which contains several proposed technical corrections to the California Consumer Privacy Act. The correction process has been foreshadowed since June, when the sponsors of AB 375 implied that the bill wasn’t perfect but there would be time to make adjustments between its passage and the effective date of January 1, 2020.

Now that the process is under way, organizations on both sides of the privacy fight have suggested substantive changes to the bill. This has left businesses focused on compliance with the CaCPA a bit up in the air. The text of AB 375 currently makes a handful of amendments to the law. As the precise contours of the changes became clearer in the past few weeks, both a group of nearly 40 business organizations and the Electronic Frontier Foundation (EFF) have suggested changes to its terms.

It doesn’t appear that these organizations are going to get additional input into the law’s major provisions in 2018 according to the latest out of Senator Bill Dodd’s office. Senator Dodd’s spokesperson told the Sacramento Bee that there would be “no substantial changes” in SB 1121. Instead, any significant changes through the legislative process would be considered for 2019 after SB 1121 was passed.

The need for SB 1121 arose out of the abbreviated legislative process. The New York Times Magazine from last weekend provided an overview of the background discussions that took place behind the scenes and resulted in the CA legislature’s passage of AB 375 rather than a public vote in November on the bill written by Californians for Consumer Privacy. The deal on the legislation had to be done before the deadline to withdraw the November initiative from the ballot – so it was struck and passed very quickly. Despite the fast trip through the legislature, no one voted against it and it was signed into law by California Governor Jerry Brown a few hours before the deadline.

We have already discussed the changes proposed by the business organizations last week, including the delay of the implementation date until one year after the publication of the final rules by the California Attorney General. The EFF proposed changes include allowing users to bring companies to court for violations, requiring user consent for data collection, providing for opt-in consent rather than opt-out consent concerning data sales and making the right to know (aka right to access) more granular to provide specific information rather than general categories.

Ultimately, there is still a long way to go before the California law goes into effect. Some or all of the California law could be preempted by federal legislation that the White House is reportedly working on. The Washington Post reported last month that government officials had held 22 meetings with more than 80 companies in order to create a data privacy proposal concerning data collection and subject access rights that could become the basis for a new federal privacy law in the United States. One of the reasons that businesses have been pushing for federal action is so that they can avoid the need to comply with 50 different state laws, as they must do now with data breach notifications.

The media has reported that the President’s privacy law will be revealed in the fall, no doubt hoping that Congress gets to work. Nevertheless, businesses that can’t afford to risk the penalties for non-compliance in California need to start improving their data privacy practices now. Since federal preemption generally isn’t favored and states are often allowed to exceed the standards set by Congress and the President, there is still a significant likelihood that some or most of the California law will still be going into effect on January 1, 2020.

The momentum for a comprehensive federal privacy law has been built from a number of different places, including the Facebook – Cambridge Analytica scandal over third party data sharing and concerns among the business community about the spread of the European Union’s General Data Protection Regulation (GDPR). Yet, it is still too soon to say what impact it will have on the California Consumer Privacy Act. There are several bills in both the U.S. House of Representatives and the Senate addressing privacy at the moment, and it remains to be seen which one will gather the support of politicians, the business community and the public. If none gains a majority of support, then California will obviously go into effect. And even if Congress does pass a new law, some of the existing proposals do not call for full federal preemption of state privacy laws.

Other Blog Posts on the California Consumer Privacy Act:

PWC Survey on CCPA: Enterprise Compliance Expected at 52% by January 1, 2020
California Adopts SB-1121 Amendments to Consumer Privacy Act
SB 1121 to Amend California Consumer Privacy Act Soon
California AG Objects to 5 Sections of CCPA Privacy Law
SB 1121 Amendments Kickoff Debate Over California Consumer Privacy Act Changes
Expect AG to Issue California Privacy Regulations in June 2019
Will California’s Privacy Law Extend to the Rest of the Country?
Privacy Policy Changes Required by California Consumer Privacy Act
Big Day for California Privacy Law
California to Pass New Privacy Law: CA Consumer Privacy Act

Improve Data Privacy for GDPR or CCPA with Clarip

The Clarip team and privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent software.

Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.