Labor Day is passed, and the Privacy & Security Matters blog is back after a bit of a hiatus. The California State Legislature was busy up to the last day of the session working on privacy legislation.
Amendments to California Consumer Privacy Act
As we have previously reported, the California legislature has been out front yet again on the privacy front. The California Consumer Privacy Act of 2018 (“CCPA”) is a sweeping piece of privacy legislation, but it was passed very quickly and contained drafting errors and inconsistencies. In addition to the nature of the legislation itself, California Attorney General Xavier Becerra expressed his consternation to the legislators, complaining that his office is not equipped to handle the necessary workload, including drafting regulations by January 1, 2020.
So, last Friday, the legislature passed SB-1121 that seeks to correct some drafting errors and inconsistencies, and are primarily technical in nature. If you were hoping for some regulations and/or AG guidance prior to January 1, 2020, think again and read on.
Some of the key amendments to the CCPA are:
- The AG has bought his office an additional six months to issue implementing regulations. SB-1121 extends the deadline from January 1, 2020 to July 1, 2020.
- Although the effective date of January 1, 2020 has not changed, the bill delays the AG’s enforcement authority under the CCPA until 6 months after publication of the implementing regulations or July 1, 2020, whichever comes first.
- Civil penalties are limited to $2,500 for each violation of the CCPA or up to $7,500 for each intentional violation.
- The lengthy definition of “personal information” or “PI” in the CPPA is clarified by the amendment which provides that IP address, geolocation data, and web browsing history would constitute PI only if the data “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Note that the amendment still does not define “household”).
- SB-1121 removes the “in conflict” qualification language from the exemption for information subject to other privacy laws such as Gramm-Leach-Bliley, Driver’s Privacy Protection Act and also exempt such information from the CCPA’s private right of action provision.
- For health care providers, SB-1121 adds an exemption for “business associates” covered under HIPAA, which were left out of the original text. Further, SB-1121 adds an exemption for HIPAA-covered entities and providers of health care governed by California’s Confidentiality of Medical Information Act.
- The amendment also adds an exemption for “information collected as part of a clinical trial” that is subject to the Federal Policy for the Protection of Human Subjects and is conducted according to clinical practice guidelines.
SB-1121 now sits on California Governor Jerry Brown’s desk for signature, and it is expected that the legislature will consider more substantive changes to the law when it reconvenes in January 2019. Stay tuned.
California Internet of Things Bills
Two other bills are also on Governor Brown’s desk relating to privacy and security in the Internet of Things (IoT). If the bills are signed, all Internet-connected devices sold in California such as thermostats, televisions, and security cameras, would need “reasonable security features” by January 2020. The bills would apply to devices that can connect directly or indirectly to the Internet and are assigned IP or Bluetooth addresses. The majority of smart home devices would fall under these bills. “Reasonable security features” are not defined and manufacturers argue that the bills are too vague and leave the companies open to litigation. There is no private right of action.
There are two identical – and conjoined – bills. S.B. 327 and A.B. 1906 are identical and both must be signed by the Governor for either to take effect. As of the writing of this post, the Governor has not taken a position on the bills. He has until September 30 to sign or veto.
The bills cover manufacturers or those who contract with manufacturers to make devices offered for sale in California.
Get Ready – Mintz’s Privacy Team Will Be Preparing
The CCPA will require that businesses spend much of the time both paying attention to further legislative action and preparing for the January 1, 2020 effectiveness date. Business will need to assess their operations in light of the CCPA’s obligations and take the complexity of the CCPA and its compliance requirements seriously. To help with that task, Mintz’s Privacy Team will be presenting a series of webinars, as we did in the run-up to GDPR. Watch this space for announcements regarding upcoming dates and events.