California Legislature Cleans Up Privacy Law, But What Next?

Financial Services Law

After months of public debate and negotiation on privacy, the California State Legislature wrapped up the 2017–18 legislative session with a consensus privacy measure following on the heels of June’s California Consumer Privacy Act (CCPA, or the Act). Senate Bill 1121 (Dodd)—cleanup legislation to the CCPA—passed the California State Senate on a bipartisan unanimous vote in the final hours of the legislative session. Governor Brown is expected to sign the cleanup measure. The CCPA itself was a last-minute June compromise among privacy proponents, the legislature and the business community to keep a ballot initiative on privacy off the November 2018 ballot. The earlier measure was proposed and enacted with extraordinary haste in order to meet the June 28 ballot deadline. The speed of that process necessitated a later bill, SB 1121, to clean up drafting errors and further clarify certain provisions of the CCPA.

From the outset, the legislators principally involved in negotiating the CCPA—Assemblymember Ed Chau along with Senators Bob Hertzberg and Bill Dodd—made clear that they did not intend as a matter of good faith to permit SB 1121 to make substantive changes to the Act. Instead, they planned to accept only “technical cleanup” bill language. And for the most part, SB 1121 honors that commitment, rejecting many of the broader changes proposed by the business community, while incorporating some implementation changes requested by the California Office of the Attorney General (AG). The major amendments in SB 1121 include:

  • A six-month delay in implementing the consumer information and use portions of the bill. The AG would be required to promulgate final regulations by July 1, 2020, rather than Jan. 1, 2020, as originally enacted. And the bill prohibits enforcement of these actions by the AG until July 1, 2020, or six months after regulations are finalized, whichever is sooner.
  • Amendments that clarify an exemption for protected health information collected by entities subject to the Health Insurance Portability and Accountability Act (HIPAA) and that provide protection for information gathered during clinical trials subject to federal regulation.
  • Exemption from most CCPA provisions for personal information collected pursuant to the federal Gramm-Leach-Bliley Act and the California Financial Information Privacy Act, largely impacting the financial services industry. 
  • Clarification that the CCPA’s private right of action applies only to the law’s section on data breach.
  • Clarification that the CCPA pre-empts local jurisdictions from adopting their own privacy ordinances immediately upon signature by the governor, notwithstanding the delayed implementation of other portions of the bill.
  • Elimination of the “gatekeeping” function of the AG. A provision in the Act allowing the AG to instruct consumers whether they would be able to proceed with their private right of action was stricken at the AG’s request.

SB 1121 now awaits signature by the governor, who has until Sept. 30 to act on the measure. It is important to note that notwithstanding these clarifications to the CCPA, there will no doubt be further efforts to make changes to the Act commencing next January in the 2019–20 legislative session. The pressure to amend the CCPA will be coming from multiple sides. The business community has a range of amendments it will be seeking—from additional clarifying language to more substantive changes related to particular industries—while on the other side of the debate, there may be efforts by consumer advocates to expand the reach of the CCPA. Notably, the AG sent a letter to legislative leaders in the last two weeks of session requesting the expansion of the CCPA’s private right of action, which is currently limited to the data breach portions of the bill. That change was not incorporated into SB 1121, but it may become ripe for debate in coming years. In addition, privacy discussions will expand to the regulatory front as the AG’s office begins to promulgate rules implementing aspects of the CCPA.  

One of the benefits of having the CCPA proceed through the legislative process is the ability to refine the Act over time without the legal and political problems of amending voter-enacted constitutional measures like the proposed initiative version of the CCPA. Advocates on all sides of the issue as well as legislative leadership and the governor wanted a policy that could be tweaked over time in light of inevitable technological changes and evolving concepts of privacy. As a result, the CCPA will likely be a legislative and judicial work in progress for many years to come.