Late last week California legislative leaders published their agreed technical amendments to the California Consumer Privacy Act of 2018. These amendments followed almost two months of intense lobbying by leading industry and consumer groups alike. Both groups want to see more changes, but consideration of those requests is now likely deferred until the legislature begins its new session in January 2019. While technically a small chance remains for additional changes to be made this week, observers say further changes at this time are very unlikely.
The principal amendments
The published revisions in SB 1121 include 45 amendments, but as a practical matter there are actually far fewer substantive changes to the law. Many changes simply correct drafting errors such as incorrect cross-references and the like. This article discusses the principal substantive changes in the bill as well as some requested changes that should be addressed by the legislature when it returns in January.
Definition of personal information
The bill contains a key change to the definition of “personal information.” Even as revised, however, the broad definition remains without precedent in that it also captures data associated with “households” (and indirectly sweeps in data associated with “devices”).
The PI revision in the bill addresses the long list of personal information examples in the law. That list includes IP addresses, unique identifiers and many other items. The change in the definition clarifies that the various items on the list are all only potentially personal information. The new language states:
“[Personal information includes the following] if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:”
As a result of this change, data types such as IP addresses, purchasing histories and geolocation data will no longer automatically be deemed to be personal information. Instead, they will become PI if they can be associated with a specific consumer or household.
HIPAA clarification and clinical trial exemption
The new bill clarifies and expands the law’s exemption for information governed by the Heath Insurance Portability and Accountability Act. As revised, the bill states that information exempt from the law includes “protected health information that is collected by a covered entity or business associate governed by the privacy, security and breach notification rules issued by” the U.S. Department of Health and Human Services. The exemption in the original CaCPA original law had not addressed HIPAA business associates.
The bill also addresses clinical trials, exempting certain information. The new clinical trial exemption apples to data from trials that (i) are subject to the so-called “Common Rule” (Federal Policy for the Protection of Human subjects), and (ii) follow certain leading clinical practice guidelines. This provision is a new substantive exemption since the original law did not address clinical trials.
GLBA and DPPA exemption clarifications
The revised bill incorporates industry arguments that the law’s exemptions for the Gramm-Leach-Bliley Act and Driver’s Privacy Protection Act data needed to be fixed. The law sought to exempt data governed by the federal GLBA, which is information maintained by financial institutions, and data governed by the DPPA, which covers information related to motor vehicle records and driver’s licenses. However, the law only exempted GLBA and DPPA data where the CaCPA was in “conflict” with those statutes, which led to concerns that such a “conflict” might be either nonexistent or otherwise very narrow.
In the bill, the conflict element has been struck from the exemptions for both GLBA and DPPA. The bill also provides that the GLBA and DPPA exemptions will not apply to Section 1798.150 of the law, which is the provision addressing the right of consumers to sue for certain data breaches. Further, the bill also creates a new related exemption for data under the California Financial Information Privacy Act.
CaCPA’s authors had made it clear that the private right of action in the law only applied only to Section 1798.150, which creates potential liability for businesses in the wake of a data breach. However, after the law was published several parties thought it was not sufficiently clear whether only the attorney general had the authority to bring actions for violations of the rest of the title beyond the data breach provision.
In the revised bill, the authors address this concern directly, inserting: “The cause of action established by this section [1798.150] shall only apply to violations as defined in subdivision (a) [breaches] and shall not be based on violations of any other section of this title.”
The CaCPA states that it preempts local laws regarding the collection and sale of a consumer’s personal information by a business:
“This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.” (Section 1798.180)
A revision in the bill makes that preemption effective when the bill becomes law, even though most operative provisions of the law will be delayed until January 1, 2020 (with attorney general enforcement of the law delayed until July 1, 2020, as discussed further below). This change prevents confusion arising from local efforts to address privacy requirements between now and 2020.
Changes to timing and the attorney general’s role
In an August 22 letter to California legislative leaders, the California Attorney General raised a number of concerns about the law. The bill addresses some but not all of those concerns, although the remaining concerns can still be reconsidered in January. For example, the Attorney General questioned why a plaintiff must first give notice to the attorney general before filing a suit pursuant to Section 1798.150; however, those notice provisions are undisturbed by the bill.
In his letter, the attorney general also raised timing and resource concerns, which the bill partially addresses. The letter discussed the burden of drafting the mandated regulations considering the Office of the Attorney General had been given no additional funding or staff for that activity. The bill’s solution was to allocate 100 percent of civil penalties collected under the law to a fund for use by the office and courts to offset their costs.
In addition, the bill defers from January 1, 2020, to July 1, 2020, the mandate that the attorney general draft and adopt the law’s implementing regulations. Further, recognizing that the substantive provisions of the bill still take effect on January 1, 2020, the bill delays the attorney general’s ability to bring enforcement actions:
“The Attorney General shall not bring an enforcement action under this title until six months after the publication of final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”
This provision does not, however, delay the effective date of the CaCPA. It also arguably does not prevent the attorney general from bringing an enforcement action on July 1, 2020, or thereafter for conduct occurring (i) before that date or (ii) before the regulations were published.
In short, businesses preparing for compliance by January 1, 2020, should not count on receiving more direction or clarity in a timely way from the attorney general regulations. They may be published well after that date.
Requested revisions not yet made
The revisions in the bill were intended to be technical amendments and corrections only. One can debate whether that concept was applied too narrowly, but nonetheless it is clear that some important issues and concerns have been deferred until the legislature reconvenes in January 2019. For example, the bill does not address the narrow definition of the public records exception to the personal information definition; the requested changes to the Fair Credit Reporting Act exemption in the bill; or some of the concerns raised in the attorney general’s letter.
“Criminals can opt out” problem remains
Potentially, the most significant problem not fixed in the bill is in the provisions that give consumers the right to opt out of sales of their data. The CaCPA failed to limit that opt out right with respect to data used to prevent or investigate crime. Many argued that these fixes should have been made as technical amendments because of the various exceptions that had already been included in the law’s deletion right provisions.
You might ask: How does a right to opt out of data sales create an issue related to criminals or crime? The answer is clear. In this sophisticated digital world, law enforcement agencies, other government agencies and businesses all rely on private vendors to provide data services that they use to prevent or investigate crimes and to conduct diligence activities. For example, LexisNexis (a subsidiary of the company I work for) alone provides such investigation data services to approximately 300 law enforcement agencies in California. Services like this are also used by other California agencies (such as those seeking to locate parents who are delinquent in paying child support) and by businesses seeking to prevent identity theft. It would severely hurt the public interest if California allowed criminals to “opt out” of data services used for these vital purposes.
Similarly, businesses such as banks use third-party data companies to comply with federal laws such as the anti-money laundering rules. If terrorists and others could opt out of such data services and watch lists, the fight against money laundering and terrorism would be hurt. In January, the legislature should consider exempting companies who provide watch lists or other data that businesses need to meet their compliance obligations such as AML compliance.
As businesses begin their CaCPA compliance preparations, many requirements are clear and will not change. For example, all businesses must be disciplined about their personal data sources and must carefully inventory how and where they use personal data. Absent that discipline, CaCPA compliance will not be possible. More detailed requirements under CaCPA will continue to evolve during 2019 as additional revisions are debated and as the California Office of the Attorney General begins its process of drafting CaCPA regulations.
If you want to comment on this post, you need to login.