The fight begins: amendments to the California Consumer Privacy ActOctober 2, 2018
As you may have heard, the California Consumer Privacy Act (CCPA) — a broad data privacy law — was enacted on June 28, 2018, with an original enforcement date of Jan. 1, 2020. Now, lawmakers have already passed the first amendment to the CCPA (SB 1121) just three months after its enactment. Among the most notable changes is a new enforcement date of July 1, 2020, or six months after the publication of final regulations from the CA Attorney General, whichever is sooner.
The CCPA currently imposes requirements on companies that (1) have an annual gross revenue of $25 million or more; (2) collect, share, or sell data of 50,000 California residents or more; or (3) derive at least 50 percent of their annual revenues from selling consumers’ personal information. Some of the CCPA’s requirements include providing particular notices to consumers about data collection, responding to consumer requests to access, deletion, or correction of their data, and implementing data security measures to safeguard consumers’ information.
The CCPA — often compared to the EU’s General Data Protection Regulation — was hastily passed this summer in an effort to defeat a more intensive data privacy ballot initiative. Due to the quick pace of passage, lawmakers anticipated that the law would require subsequent amendments prior to 2020. On Sept. 23, 2018, the governor of California signed SB 1121, the first amendment to the CCPA.
While the delay of enforcement by the CA Attorney General is the most notable change for companies, the amendment included other changes. The amendment also clarified exemptions for data regulated by the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). Another change removed the requirement that consumers notify the CA Attorney General’s office after filing a private action related to a data breach.
During the amendment process, businesses, the Attorney General and consumer groups all weighed in on potential changes. An array of industry groups proposed substantial revisions to the law, but lawmakers did not include a majority of their proposed changes. The amount of lobbying both by consumer protection advocates and businesses on the first amendment signals that SB 1211 is likely just the beginning of changes to the CCPA. In the next year, lawmakers will likely consider a number of amendments to the law before its enforcement date.
Regardless of future changes, companies subject to the law should start or continue working regularly towards compliance, including revising privacy policies and developing internal processes to handle consumer data requests. We will continue to monitor the CCPA through future revisions and provide updates.
If you have any questions about the CCPA and your company’s compliance requirements, please contact the Data Security & Privacy Practice Group at Godfrey & Kahn, S.C.