SB 1121 to Amend California Consumer Privacy Act Soon

SB 1121 is working its way through the California legislature on its way to amend the California Consumer Privacy Act. This is the “technical corrections” bill that was promised by the co-sponsors of the law at the time that it was signed and has been the subject of heavy lobbying between business organizations and consumer privacy advocates this month. According to an article published by IAPP, the vote will occur later this week.

We took a look at some of the changes proposed in the bill to make sure that we are on top of the latest after the California Attorney General’s letter to the co-sponsors concerning five objections to the current language. According to an article in the IAPP Privacy Tracker, the revisions in SB 1121 contain 45 amendments to the California privacy law. Here are some of the important and minor changes that we identified:

Personal Information Definition

It excudes association with a device from the definition of personal information. The new definition of personal information will cover information that identifies, relates to, describes, is capable of being associated with, or could be reasonably be linked with a particular consumer or household.

Legal Exemptions

The amended California Consumer Privacy Act would now exclude medical information governed by the Confidentiality of Medical Information Act or information covered by the federal regulations established pursuant to HIPAA and the HITECH Act, certain clinical trial information, and personal information collected or processed pursuant to the California Financial Information Privacy Act.

The bill also extends the exemption for information under the GLBA and the DPPA from cases where the law is in conflict with the California Consumer Privacy Act to all instances of personal infomration collected, processed, sold or disclosed under the law. The amendments do exempt the private cause of action for data breaches from the exemptions for financial information and driver’s license information.

Free Speech Exemption

The language to protect speech initially added to SB 1121 has been modified once again. Now, the law would make clear that the rights and obligations created do not apply to the extent they they infringe on noncommercial activities protected by California Constitution, Article I, Section 2(b), which protects journalists from having to reveal a source.

Private Right of Action

The amendments clarify that the cause of action available to consumers is limited and the law does not extend the consumer right to sue to other sections.

SB 1121 will also eliminate the requirement for a consumer to notify the Attorney General after it has filed the lawsuit and wait for a decision by the Attorney General concerning whether it was going to prosecute the company.

Civil Penalties

The language in the new privacy bill eliminates the reference to the California Unfair Competition Law which the Attorney General identified as likely unconstitutional and instead sets forth its own penalty scheme. Under the amended law, businesses will be subject to a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.

Start of Enforcement

Enforcement is going to be delayed six months to July 1, 2020 unless the Attorney General publishes the final regulations before January 1, 2020.

The law previously required the Attorney General to issue final regulations for some sections within one year of the signing of AB 375, or June 2018, and finish by January 1, 2020, the effective date for the start of enforcement. The AG last week sent a letter to the California legislature stating that the time frame for it to issue regulations was unrealistic.

Other Changes

Replaces the phrase verifiable request with verifiable consumer request in a few places to conform to the defined legal term.

The phrases “opt in” and “opt out” have had a hyphen inserted and the letter s has been added to the possessive business’ to make business’s.

The express authorization requirement for the sale of personal information after an opt-out has been moved below the section about the right to opt-in for children.

Some redundancy has been removed from the service provider exception.

Stay Tuned

We are keeping a close eye on the amendments to the California Consumer Privacy Act and will bring you more information here when it is finalized.

Improve Data Privacy for GDPR or CCPA with Clarip

The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.

Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.