Amendments Draw Future Battle Lines Over Landmark California Privacy Legislation
In the last week of August, California legislators passed amendments containing what many think will only be the first round of changes to the California Consumer Privacy Act (CCPA) of 2018. These amendments, which the governor approved this week, clarify some ambiguities contained in the CCPA but leave others still hazy. As a result, these initial amendments may indicate where the battles over the legislation will take place in 2019, leading up to the law’s ultimate implementation on January 1, 2020.
Significantly, the amendments already signal a slight easing of the burden to be placed on businesses by including a change to the definition of personal information. As discussed in greater detail below, the change scales back the original definition’s reach by making clear that data elements will only be considered personal information if those elements relate to or identify a consumer or household.
The initial legislation listed 11 different data elements that were considered to be “personal information.” The data elements included information such as names, IP addresses, email addresses, geolocation data, biometric data, commercial data, educational data, employment data, internet information, and the inferences drawn from such information and used to create a consumer profile. The amendment keeps the 11 data elements included in the initial legislation but also adds language that makes clear that the data elements are no longer considered “personal information” by default. Instead, the 11 data elements will now only be personal information if such information “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household...”
The amendments also attempt to eliminate ambiguities in the exemption language contained in the initial legislation. The amendments clarify that information otherwise covered by HIPAA the Federal Policy for the Protection of Human Subjects, the Fair Credit Reporting Act, the Gramm Leach Bliley Act, the California Financial Information Privacy Act, and the California Driver’s Privacy Protection Act is exempt from the CCPA.
Further, in a move that eases the burden on consumers seeking redress for data breach injuries, the amendments remove a hurdle to bringing the private right of action afforded to consumers for injuries—including non-monetary injuries suffered by consumers as a result of data breaches—by discarding the requirement that the consumer must provide 30 days’ notice to California’s Attorney General before filing the action.
In the original legislation, the consumer was required to give the Attorney General notice of the action within 30 days of having filed the action. The Attorney General then had 30 days after the notification to take one of the following actions: inform the consumer that the Attorney General was going to prosecute an action against the violation; tell the consumer to refrain from the private action; or choose to refrain from acting, allowing the consumer to proceed. If the Attorney General notified the consumer that the Attorney General was going to initiate its own action, but did not prosecute within six months, the consumer was then allowed to proceed with the private action.
The amended version of the CCPA does away with all these requirements but does keep the requirement that before initiating a private action, a consumer must provide the offending business with 30 days’ written notice that identifies the specific provisions of the CCPA that were allegedly violated, giving the business 30 days to cure such violations. If the business provides the consumer with an express written statement that the violations have been cured and will not occur again, the consumer, whether as an individual or as part of a class, may not bring the private action. (Not answered by the amendment is the question: How does a business “cure” a data breach?)
The language contained in this portion of the CCPA can reasonably lead one to conclude that a consumer, as an individual, or part of a class, can bring a private right of action for any violation of the CCPA. But that would be wrong because the amended law also makes clear that the private right of action only applies to data breaches. In addition, while the definition of personal information under the CCPA itself covers 11 different data elements that relate to, or identify a consumer or a household, the private right of action only applies to a breach of the following data elements, which are much more limited than the broader CCPA definition:
1. An individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
- Social Security number;
- Driver's license number or California identification card number;
- Account number, credit or debit card number (in combination with any required security code, access code, or password that would permit access to an individual's financial account);
- Medical information; and
- Health insurance information.
2. A username or email address in combination with a password or security question and answer that would permit access to an online account.
Apart from the private right of action, the amendments also provide that the Attorney General may bring an action to pursue a civil penalty against any business that does not cure an alleged violation within 30 days of being notified of the alleged violation. The amendment provides for a penalty of not more than $2,500 for each violation and not more than $7,500 for intentional violations.
Importantly, the amendments also provide businesses the ability to seek guidance from the Attorney General on how to comply with the CCPA’s provisions. In addition, the Attorney General will now have until July 1, 2020, to issue regulations implementing the CCPA. And significantly, the Attorney General may not bring any actions to enforce the CCPA before July 1, 2020, effectively delaying the law’s implementation by six months.
Both businesses and consumers gained something from the first round of amendments. The refining of the definition of “personal information” will help businesses; while the removal of the Attorney General notice requirement before filing a private right of action for data breaches will help consumers. But more changes are expected as the CCPA’s proponents and detractors attempt to put their stamp on the legislation before it is enacted. Due to the legislation’s reach to businesses outside of California, staying informed and being ready to comply will be a business necessity.