Sixty-four days after the California Assembly and Senate hastily passed the landmark California Consumer Privacy Act of 2018, the legislature passed SB 1121, which it termed a “technical corrections” bill. Next year, the legislature or the Attorney General’s Office must still grapple with a large number of drafting errors, as well as several practical problems and constitutional vulnerabilities in CaCPA.
In fact, SB 1121 is very short on technical corrections. It clarifies only a handful of the dozens of drafting ambiguities and errors in CaCPA.
The legislation’s principal effects are to (1.) grant a six-month grace period beginning when the attorney general issues regulations or July 1, 2020 (whichever is earlier), before the privacy requirements of CaCPA may be enforced; and (2.) fully exempt from CaCPA's privacy requirements data that is regulated by the Gramm-Leach-Bliley Act, HIPAA, the clinical trials Common Rule, and the Driver's Privacy Protection Act.
Partial and possible extension in enforcement
The possible extension is only for the privacy requirements of the law, and not for the data breach class action provisions of Civ. Code § 1798.150, which are scheduled to take effect Jan. 1, 2020. The extension is conditional — it applies only if the Attorney General’s Office does not complete by July 1, 2019, its rulemaking under CaCPA (which will address at least verification standards for data subject requests to businesses).
This creates some uncertainty as to the effective date of the CaCPA privacy provisions. The Attorney General’s Office has little experience as a privacy regulator and wrote to the legislature that it lacks the resources to conduct the rulemaking. What is more, because further changes are needed next year to the hastily drafted CaCPA and the legislature rarely passes legislation before summer, the Attorney General’s Office may decide to wait until late summer or fall of 2019 to issue rules. On the other hand, the Attorney General’s Office could receive funding and decide to move forward more quickly to complete a narrow rulemaking by July 1, 2019, or (less likely) it could issue rules in the first or second quarters of 2020, thereby giving businesses less than six months to accommodate their practices to the requirements in the AG’s rules.
The bottom line: It is now less clear exactly when CaCPA privacy provisions will be enforced, although some delay beyond Jan. 1, 2020, seems likely.
The amended exemptions apply to the regulated data, thereby also exempting service providers and ecosystem partners to the extent that they are handling the regulated data, so that they do not need to respond to “do not sell” or access, deletion or data portability requests. However, all these industries (except the health care industry to the extent that it treats non-regulated data the same as HIPAA or clinical trials regulated data) remain subject to the privacy provisions of CaCPA if they engage in activities falling outside of their sectoral privacy regulation. They are also subject to the data breach class action provisions of CaCPA. This means (1.) they need to plan to mitigate data breach risk, and (2.) negotiations over service provider agreements will become more complex.
Nonetheless, the financial services, insurance, health care and clinical trials industries and their users (e.g., the pharmaceutical industry with regard to clinical trials), as well as service providers can now breathe sighs of relief that they do not need to revamp their GDPR compliance programs to meet the somewhat different requirements of CaCPA as to the exempt data. However, it will be important for businesses in many of these industries to distinguish carefully between their federally regulated data and other types of personal data.
Limiting CaCPA’s First Amendment exception to non-commercial activities
When CaCPA passed, one of its sponsors had promised California newspapers that a technical corrections bill would contain an exception to lighten the law’s burden on newspapers. Curiously, SB 1121 actually cuts back on a broad First Amendment exception in the original CaCPA bill. This amendment limits the First Amendment exception in § 1798.145(k) so that it applies only to “non-commercial” activities and says nothing about whether news reporting by a media company is a non-commercial activity. This is a surprising outcome, given that the legislature could have simply added the phrase “including newsgathering” to the First Amendment exception in CaCPA as enacted to provide clearer protections for newspapers.
The outcome reflects advocate concern about expansive interpretations of business First Amendment rights, including rights to communicate personal data to other entities. It is similar to CaCPA’s very unusual exception to the definition of “research” in § 1798.40(s)(8), which excludes any research for a commercial purpose. (That exception appears intended to subject commercial research, but not non-commercial research, to personal data deletion requirements and to exclude disclosures of personal data to third parties for commercial research purposes from the business purpose exception for disclosures.)
These less favorable treatments of communications of personal data for commercial purposes, however, make the amended CaCPA more vulnerable to First Amendment challenges by businesses under both commercial speech and fully protected speech theories. One is left to wonder whether they may boomerang on the advocates who support them.
SB 1121 does contain contains several significant clarifying amendments.
- Clarifying a bit the sweeping list of data elements in the definition of personal data by specifying that they are personal data only if the data element “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household” (although even this limitation still goes far beyond federal law definitions of personal data and is operationally problematic).
- Clarifying that the private right of action applies only to data breaches, and not the act as a whole.
- Clarifying that the civil penalty for unintentional violations of the privacy provision is up to $2,500 per violation if the business fails to cure an alleged violation.
- Removing the attorney general’s 30-day screening/“gatekeeper” function for private rights of action.
- Clarifying that CaCPA preempts local laws on the day of its enactment, not the day of its enforcement, thereby preempting a San Francisco privacy ballot measure.
Private right of action
Section 1798.150 of CaCPA left some ambiguity the private right of action in this subdivision applied only to the data breach section contained within section .150, or also to other “disclosures” of personal data under the privacy provisions of the law. SB 1121 amends 1798.150(c) to make clear that “The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title.”
Civil penalty amounts
Section 1798.155(a) of CaCPA, as passed, referenced the civil penalty provisions of Section 17206 of the Business and Professions Code as the basis for penalties for non-intentional violations of the law. SB 1121 clarifies that “Any business … that violates this title shall be … liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation …”
Thus AG recovery for civil enforcement actions is up to $2,500 per violation, unless the attorney general proves that the violation was intentional, and if so, the maximum penalty is up to $7,500 per violation.
Attorney general’s screening role for class actions
AB 375 included provisions in its data breach section that required the attorney general to be notified by a consumer bringing a data breach action, required the attorney general to investigate the allegations, and provided that if the AG acted within 30 days it could object to the action and the case would be dismissed. At the attorney general’s request, this section has been stripped from the bill. This will allow plaintiffs’ lawyers to bring a private action against a business for a data breach without clearing that action with the AG. Because the Attorney General’s Office did not want to play the role of screening potential lawsuits and, even if willing to do so, would have been very unlikely to complete an investigation within 30 days, the practical effect of this change appears to be quite limited.
However, the CaCPA provision allowing a business 30 days to cure any alleged violation has remained, giving businesses the ability in some circumstances to cure a data breach within 30 days and thereby to obtain dismissal of a class action.
Finally, SB 1121 fixes a significant gap in the effective date provision of CaCPA by making the provisions of CaCPA that supersede and preempt laws adopted by local municipalities operative on the date the bill becomes effective.
This batch of “technical amendments” to CaCPA does resolve some of the law’s many uncertainties. However, largely because of the haste in which the law was prepared, the exact contours of CaCPA’s requirements are taking significant time to come into focus. California citizens, privacy advocates and regulated businesses will need to wait until next year’s legislative session and the attorney general’s rulemaking before they know how the new rights under CaCPA will work.
If you want to comment on this post, you need to login.