Groundbreaking. Watershed. Unprecedented.
We have heard the California Consumer Privacy Act of 2018 (CCPA) called all these things and more since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy.
We will explore the ramifications for businesses of this seminal legislation in this multi-part series, The Challenge Ahead, authored by members of Hogan Lovells’ CCPA team. Each post will provide analysis of key legal issues implicated by the CCPA along with practical takeaways. The series builds on the CCPA overview we recently presented via webinar.
In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
Future posts will:
- highlight key terms used by the law that are fundamental to planning compliance;
- compare the CCPA to Europe’s General Data Protection Regulation (GDPR), including learnings from GDPR compliance that can be applied in the United States;
- analyze how the act will interact with existing regulations covering organizations in healthcare, financial services, and beyond;
- share practical steps companies are taking now to plan for compliance;
- address the new private right of action established by the law; and
- provide additional CCPA analyses and reports.
Recent Amendments to the CCPA
Unlike most other U.S. privacy laws which generally focus on specific sectors or issues, the CCPA applies broadly to businesses that collect personal information about California residents and aims to create significant new consumer privacy rights. In doing so, this law has created significant and, to date, unclearly bounded and difficult to implement new obligations for businesses.
While some have praised the CCPA for its landmark status as the first truly comprehensive consumer privacy bill in the United States, others have been far more critical of the legislation.
Critics have remarked that the burden and cost of compliance for small and mid-sized companies that have recently undergone massive compliance overhauls related to the GDPR may be impracticably high. Some have critiqued the burden that the CCPA will place upon companies whose systems will need to be extensively reconfigured in order to meet consumer requests for disclosure, delivery, and deletion.
Notably, California Attorney General Xavier Becerra, whose office is tasked with adopting regulations to clarify and further the law’s objectives and enforcing compliance with the CCPA, recently expressed serious concerns about the responsibilities the new law imposes on his office. He emphasized that the statute is requiring his office to shift from its traditional role as an enforcer and asking them to “take on the new role and obligations of a regulator” without providing either sufficient time or resources. He also noted that the CCPA’s requirement that the AG provide opinions, warnings, and cure periods to businesses or third parties is “unworkable” and tantamount to requiring the provision of “unlimited legal advice to private parties” at taxpayers’ expense. On August 30, 2018, the California Legislature responded by passing SB-862 to amend California’s Budget Act of 2018 to provide, among other things, the AG’s office with additional funding to begin implementation of the CCPA.
Some of the criticism of the CCPA stems from the fast-track approach in which it was enacted, which resulted in what appear to be drafting errors and internal inconsistencies. On August 31, 2018, the California State Legislature passed SB-1121, making limited and largely technical amendments to the CCPA, and the revised bill now sits on California Governor Jerry Brown’s desk waiting for his signature. In addition to the correction of certain clear mistakes and other non-substantive wording changes, the amendments address the following:
- Extension for adoption of Attorney General’s regulations and delayed enforcement
- The AG was granted an additional six months to adopt implementing regulations for the CCPA, extending the original deadline from January 1 to July 1, 2020.
- Although the CCPA will still take effect on January 1, 2020, the AG may not bring enforcement actions until six months after final regulations are published or July 1, 2020, whichever is earliest.
- Immediate preemptive effect
- Effective immediately, the CCPA preempts local laws regulating the collection and sale of consumer personal information by businesses.
- Removal of Attorney General review/approval of private actions
- Private litigants are no longer required to give advance notice of their actions to the AG.
- The AG is no longer authorized to halt consumer actions.
- New penalty tiers
- Instead of a single tier of fines capped at $7,500 per violation, the CCPA now caps fines at $2,500 per violation and $7,500 per intentional violation.
- Attorney General injunction power
- The AG now has the authority to seek injunctive relief against businesses alleged to be violating the CCPA.
- Revised allocation of penalty proceeds
- Civil monetary penalties that are recovered through public enforcement actions will no longer be partially allocated to jurisdictions on whose behalf the action was brought. All such proceeds will go to the new “Consumer Privacy Fund” within the State Treasury’s General Fund.
- Revised definition of “personal information”
- The revised definition of “personal information” specifies that the data elements enumerated in the statute only qualify as personal information if they are linked or linkable to a consumer or household.
- Expanded and clarified exemptions for certain health-related information and already regulated entities
- The revised CCPA clarifies that “medical information” subject to the Confidentiality of Medical Information Act (CMIA) and “protected health information” collected by a “covered entity” or “business associate” established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) are exempt from the statute. The original exemption did not address protected health information collected by business associates.
- The revised act also adds an exemption for a “provider of health care” under the CMIA and a “covered entity” governed by the privacy, security, and breach notification rules established pursuant to the HIPAA and the Health Information Technology for Economic and Clinical Health Act (HI-TECH), to the extent the provider of health care or covered entity maintains patient information “in the same manner as medical information or protected health information.”
- Clinical trial data exception
- The revisions exempt information collected “as part of a clinical trial,” to the extent the clinical trial is conducted pursuant to the Federal Policy for the Protection of Human Subjects, the clinical practice guidelines issued by the International Council for Harmonisation, or the human subject protection requirements of the U.S. Food and Drug Administration.
- Expanded GLBA exception
- The exception for information covered by the Gramm-Leach-Bliley Act (GLBA) has been revised so that it is no longer limited to areas where the GLBA conflicts with the CCPA.
- Expanded DPPA exception
- The revised exception for information covered by the Driver’s Privacy Protection Act (DPPA) is no longer limited to areas where the DPPA conflicts with the CCPA.
- Clarified free speech exception
- The revised CCPA does not apply to the extent it infringes on the “noncommercial activities” of publishers, editors, and other like entities.
- Clarification of the scope of the private right of action
- The CCPA’s private right of action is limited to data breach violations.
While many believe that 2019 will bring additional changes to the CCPA, it appears all but certain that this new law’s core requirements and approach will stay intact. Much like the year-plus run up to the effective date of the GDPR, and reflecting on lessons from that experience, companies should start planning their compliance approach now.