Amendments to California’s new consumer privacy law

On September 23, 2018, the California legislature enacted Senate Bill 1121 (the “Amendment”) amending the California Consumer Privacy Act (the “Act”). More amendments to the Act are expected leading up to the operative date of the Act, on January 1, 2020.

1. Urgency Clause - Effective Date

The Act was originally set to become operative on January 1, 2020. Although the Amendment preserves this operative date, the Amendment contains an urgency clause under which the Act took effect immediately upon Governor Brown signing the Amendment. The intent behind this urgency clause was to prevent local governments from passing conflicting laws prior to the January 1, 2020 operative date.

2. The Right to Delete

Among other obligations the Act imposes on covered businesses regarding their handling of a consumer’s personal information (“PI”) (see Part 2), the Act requires businesses that collect PI about a consumer to disclose the consumer’s right to delete PI on its website or in its online privacy policy. 

The Amendment modifies that requirement by requiring a business that collects PI about a consumer to disclose the consumer’s right to delete PI in a form that is reasonably accessible to consumers and in accordance with a specified process.

3. Consumers’ Private Right of Action

As discussed in Part 4, the Act generally provides for its enforcement by the Attorney General, but also provides for a private right of action in connection with unauthorized breaches of consumer personal information. This Amendment clarifies the following:

• The civil penalty for data breaches that are brought by the Attorney General are capped at $2,500 per violation, or $7,500 for each intentional violation.

• All settlement and penalty amounts will be allocated to the Consumer Privacy Fund.

• Consumers no longer have to notify the Attorney General within 30 days of filing a private action.

4. Entities Exempted from the Act

The Act establishes several exceptions to the requirements imposed by the Act, including prohibiting the Act from being interpreted to restrict the ability of a business to comply with federal, state, or local laws. As amended, the Act provides relief to financial institutions and health care providers, and therefore does not apply to the following:

• PI collected, processed, sold, or disclosed under the Gramm-Leach Bliley Act, the Driver’s Privacy Protection Act or the California Financial Privacy Act.

• Protected health information governed by HIPAA, or the California Confidentiality of Medical Information Act.

• Certain PI collected as part of clinical trials.

If you have any questions concerning whether your company might be covered under the Act, and your obligations, please reach out to an MLG attorney to assist you.

Read the full series:

Part 1: Addresses businesses and consumers are covered under the CCPA.
Part 2: The CCPA’s expanded definition of “personal information”, and some of its limitations and exemptions.
Part 3: Covered Businesses’ obligations to consumers under the CCPA.
Part 4: The CCPA’s enforcement framework and penalties for violations.
Amendments: What you should know about the September 2018 Amendments to the CCPA.

Author: Caitie Emmett, Associate.

The Maier Law Group helps companies ensure that their policies and practices comply with the relevant workplace regulations.  Please contact us at info@maierlawgroup.com for more information.

This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly.