The Act, which was fast-tracked, has raised considerable issues for companies. Harriet Pearson, Edith Ramirez and Britanie Hall of Hogan Lovells shed some light on the challenges and what companies must do to prepare.
Groundbreaking. Watershed. Unprecedented.
We have heard the California Consumer Privacy Act of 2018 (CCPA) called all these things and more since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organisations that engage with the residents of the world’s fifth-largest economy. Below, we describe recent activity to enact so-called “technical” amendments to the CCPA.
Recent Amendments to the CCPA
Unlike most other U.S. privacy laws which generally focus on specific sectors or issues, the CCPA applies broadly to businesses that collect personal information about California residents and aims to create significant new consumer privacy rights. In doing so, this law has created significant and, to date, unclearly bounded and difficult to implement new obligations for businesses.
While some have praised the CCPA for its landmark status as the first truly comprehensive consumer privacy bill in the United States, others have been far more critical of the legislation.
Critics have remarked that the burden and cost of compliance for small and mid-sized companies that have recently undergone massive compliance overhauls related to the GDPR may be impracticably high. Some have critiqued the burden that the CCPA will place upon companies whose systems will need to be extensively reconfigured in order to meet consumer requests for disclosure, delivery, and deletion.
Notably, California Attorney General Xavier Becerra, whose office is tasked with adopting regulations to clarify and further the law’s objectives and enforcing compliance with the CCPA, recently expressed serious concerns about the responsibilities the new law imposes on his office. He emphasised that the statute is requiring his office to shift from its traditional role as an enforcer and asking them to “take on the new role and obligations of a regulator” without providing either sufficient time or resources. He also noted that the CCPA’s requirement that the AG provide opinions, warnings, and cure periods to businesses or third parties is “unworkable” and tantamount to requiring the provision of “unlimited legal advice to private parties” at taxpayers’ expense. On August 30, 2018, the California Legislature responded by passing SB-862 to amend California’s Budget Act of 2018 to provide, among other things, the AG’s office with additional funding to begin implementation of the CCPA.
Some of the criticism of the CCPA stems from the fast-track approach in which it was enacted, which resulted in what appear to be drafting errors and internal inconsistencies. On August 31, 2018, the California State Legislature passed SB-1121, making limited and largely technical amendments to the CCPA, and the revised bill now sits on California Governor Jerry Brown’s desk waiting for his signature. In addition to the correction of certain clear mistakes and other non-substantive wording changes, the amendments address the following:
1. Extension for adoption of Attorney General’s regulations and delayed enforcement
The AG was granted an additional six months to adopt implementing regulations for the CCPA, extending the original deadline from January 1 to July 1, 2020. Although the CCPA will still take effect on January 1, 2020, the AG may not bring enforcement actions until six months after final regulations are published or July 1, 2020, whichever is earliest.
2. Immediate preemptive effect
Effective immediately, the CCPA preempts local laws regulating the collection and sale of consumer personal information by businesses.
3. Removal of Attorney General review/approval of private actions
Private litigants are no longer required to give advance notice of their actions to the AG.The AG is no longer authorised to halt consumer actions.
4. New penalty tiers
Instead of a single tier of fines capped at $7,500 per violation, the CCPA now caps fines at $2,500 per violation and $7,500 per intentional violation.
5. Attorney General injunction power
The AG now has the authority to seek injunctive relief against businesses alleged to be violating the CCPA.
6. Revised allocation of penalty proceeds
Civil monetary penalties that are recovered through public enforcement actions will no longer be partially allocated to jurisdictions on whose behalf the action was brought. All such proceeds will go to the new “Consumer Privacy Fund” within the State Treasury’s General Fund.
7. Revised definition of “personal information”
The revised definition of “personal information” specifies that the data elements enumerated in the statute only qualify as personal information if they are linked or linkable to a consumer or household.
8. Expanded and clarified exemptions for certain health-related information and already regulated entities
The revised CCPA clarifies that “medical information” subject to the Confidentiality of Medical Information Act (CMIA) and “protected health information” collected by a “covered entity” or “business associate” established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) are exempt from the statute. The original exemption did not address protected health information collected by business associates.
The revised act also adds an exemption for a “provider of health care” under the CMIA and a “covered entity” governed by the privacy, security, and breach notification rules established pursuant to the HIPAA and the Health Information Technology for Economic and Clinical Health Act (HI-TECH), to the extent the provider of health care or covered entity maintains patient information “in the same manner as medical information or protected health information.”
9. Clinical trial data exception
The revisions exempt information collected “as part of a clinical trial,” to the extent the clinical trial is conducted pursuant to the Federal Policy for the Protection of Human Subjects, the clinical practice guidelines issued by the International Council for Harmonisation, or the human subject protection requirements of the U.S. Food and Drug Administration.
10. Expanded GLBA exception
The exception for information covered by the Gramm-Leach-Bliley Act (GLBA) has been revised so that it is no longer limited to areas where the GLBA conflicts with the CCPA.
11. Expanded DPPA exception
The revised exception for information covered by the Driver’s Privacy Protection Act (DPPA) is no longer limited to areas where the DPPA conflicts with the CCPA.
12. Clarified free speech exception
The revised CCPA does not apply to the extent it infringes on the “noncommercial activities” of publishers, editors, and other like entities.
13. Clarification of the scope of the private right of action
The CCPA’s private right of action is limited to data breach violations.
While many believe that 2019 will bring additional changes to the CCPA, it appears all but certain that this new law’s core requirements and approach will stay intact. Much like the year-plus run up to the effective date of the GDPR, and reflecting on lessons from that experience, companies should start planning their compliance approach now.
Authors:Harriet Pearson, Partner, Hogan Lovells; Edith Ramirez, Partner, Hogan Lovells; Britanie Hall, Senior Associate, Hogan Lovells