California Legislature Amends New California Consumer Privacy Act of 2018

By Hoge Fenton | 09.7.2018 | Firm Post

Thus far, 2018 has proven to be the Year of Privacy. The year began with news that Facebook had allowed Cambridge Analytica, a political firm, to access private data of more than 50 million Facebook users. Then, on May 25, the European General Data Protection Regulation (“GDPR”) went into force, overhauling 15 years of European privacy law.

Not to be outdone, on June 28, the California Legislature passed a comprehensive consumer privacy law called The California Consumer Privacy Act of 2018 (“CCPA”). The Bill AB No. 375 is, in many ways, California’s response to the Cambridge Analytica scandal and a nod to many of the principles of the GDPR. AB No. 375 was drafted, debated, and adopted within seven days, so not surprisingly, much criticism and scrutiny in the privacy industry followed. And as expected, last Friday, August 31, the California Legislature passed SB 1121 to amend the CCPA.

The CCPA applies to any for-profit legal entity doing business in California that meets any one of the following:

  • has annual revenues in excess of $25 million;
  • possesses the personal data of 50,000 or more consumers, households, or devices; or
  • derives 50% or more of its annual revenues from selling consumers’ personal data.

The CCPA provides new rights to California residents, including:

  • the right to know what personal data is being collected and shared or disclosed with others;
  • the right to object to the sale of personal information; and
  • the right to access personal information that a company holds and to request its deletion.

The CCPA prohibits businesses from discriminating against consumers who exercise these new rights to access, delete or opt out of the sale of their personal information. The law requires new disclosures in privacy policies, including a “Do Not Sell My Personal Information” link on a website home page, and mandates that minors aged 13 to 16 be given the ability to affirmatively authorize the sale of their personal information. For those under 13 years of age, parent or guardian consent is required.

The CCPA defines personal information broadly, well beyond existing definitions in other statutes regulating personal information, as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Remarkably, the CCPA’s definition includes a person’s Internet activity, including searching and browsing history, as well as biometric and geolocation data.

The Legislature’s amendments passed on Friday do not scale back the breadth and depth of the new consumer rights or company obligations specified in the CCPA. Indeed, at the request of Attorney General Xavier Becerra, the Legislature removed the requirement that private plaintiffs notify his office within 30 days of filing a lawsuit for a data breach, and then wait six months to see if the Attorney General elects to pursue the case on his own. Also at his request, the Attorney General has until July 1, 2020 to develop and publish rules implementing the Act, which is six months after its January 1, 2020 effective date. The AG cannot enforce the CCPA until 6 months after the publication of those regulations or July 1, 2020, whichever is earlier.

However, upon its January 1, 2020 effective date, private consumers may bring civil lawsuits against businesses following data breaches under certain circumstances. Private rights of action may only be brought where (a) there is a data breach involving unredacted or unencrypted personal information, and (b) the breach was cause by a company’s failure to maintain reasonable security measures—a standard already required of all businesses possessing consumer personal data by California Civil Code section 1798.81.5 (b). Moreover, there can be no action if the company cures such failure within 30 days and provides the affected consumer(s) written notice that the violation(s) has been cured and no further violations of the act will occur.

Other notable amendments in SB 1121 are:

  • data regulated by the federal Gramm-Leach-Bliley Act (“GLBA”) and Driver’s Privacy Protection Act (“DPPA”) is exempt from the CCPA; and
  • health care providers and other covered entities regulated by the Health Insurance Portability and Accountability Act (“HIPAA”) are also exempt from the CCPA.

California’s governor must sign off on SB 1121, and the Attorney General’s office will need to promulgate regulations to implement the CCPA. Those regulations will set forth in further detail how businesses within the scope of the CCPA must comply with the new law. But for now, anyone doing business in California that falls under the CCPA should, at a minimum:

  • implement data security measures such as encrypting consumer personal information, where feasible;
  • implement reasonable security measures to protect consumer personal data and be able to document it has done so, in the event of a data breach; and
  • update its privacy policy and implement means that allow California resident consumers to access, modify, opt out of sales of, and delete their personal data, and otherwise exercise their new consumer rights under the CCPA.

For Questions Please Contact:

Stephanie O. Sparks chairs the firm’s Privacy & Data Security and Intellectual Property teams at Hoge Fenton. She counsels companies on privacy laws, including the GDPR, and helps them create and implement administrative, technical, and physical safeguards for data security. For questions, call Stephanie at 408.947.2431 or email stephanie.sparks@hogefenton.com.
Matthew S. Wes is an associate in the firm’s Silicon Valley office. He assists clients in protecting their intellectual property and companies with using and protecting employee and user data. Prior to joining the firm, Matt worked with privacy counsel to develop policies and procedures in preparation for the General Data Protection Regulation (GDPR). For questions, call Matt at 408.947.2419 or email matthew.wes@hogefenton.com.

The Fine Print.

This article is provided as an educational service by Hoge Fenton for clients and friends of the firm. This communique is an overview only, and should not be construed as legal advice or advice to take any specific action. Please be sure to consult a knowledgeable professional with assistance with your particular legal issue.

Mackrell International California Minority Counsel Program Best Places to Work 2019 Bay Area Green Business