[Updated to include additional amendments on September 20, 2018]
Like many new, groundbreaking regulations, the California Consumer Privacy Act of 2018 (CaCPA) is an evolving piece of legislation. Soon after the CaCPA was passed, many privacy advocates and technology industry leaders began lobbying for changes to the regulation before its implementation in January 2020. The much-anticipated first set of amendments to the CaCPA was published on August 27, 2018. In this set, there are 45 amendments, most of which address minor, technical errors. This post will focus on the more substantive amendments and the need for these changes.
The broad definition of personal information has been updated to include information that could be associated with, or could be reasonably linked, directly or indirectly, with a particular household or consumer. The regulation now provides a clearer definition of what constitutes as biometric information: “An individual’s physiological, biological characteristics to include DNA, imagery of the iris, retina, finger print, face, hand palm, vein patterns, and voice recordings.”
The new amendments also clarify that IP addresses and geolocation data are not necessarily considered personal information unless they can be reasonably linked to a specific individual or household. This change was necessary because the original definition was extremely broad with no guidance on what data is considered personal information. A more refined definition allows for greater protections for consumers and requires a more robust compliance program for organizations.
Expanding HIPAA/Clinical Trial Exemptions
These amendments expand the CaCPA’s exemption for information governed by the Health Insurance Portability and Accountability Act (HIPAA). The new revision exempts Protected Health Information (PHI) that is collected by a covered entity or a business associate governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services.
The bill also now includes exemptions for certain data collected for clinical trials, such as:
- Data that is subject to the Federal Policy for the Protection of Human Subjects
- Trials under the purview of the federal regulation.
These exemptions prevent redundancy and conflicting regulations. Organizations that were concerned about complying with both HIPAA and CaCPA can instead focus on their ongoing compliance efforts with HIPAA and the Consumer Rule concerning clinical trials. However, not all data is exempt, because not all the information that health care organizations collect is covered by HIPAA. For example, a health care organization could collect personal information from a consumer that is not PHI. That data, while not covered by HIPAA, would be covered by the CaCPA. This increases health care organizations’ responsibility to know what information is covered by which regulation.
Gramm-Leach-Bliley Act (GLBA) and Driver’s Privacy Protection Act (DPPA) Exemptions
The revised bill has eliminated exemptions for the GLBA and DPPA in certain sections that were found to contradict with the previous text. The bill also states that GLBA and DPPA exemptions will not apply to Section 1798.150 of the law, addressing the right of consumers to sue for data breaches in specific scenarios. However, the new amendments did create a new exemption for data collected under the California Financial Information Privacy Act.
Much like the amendments made to the HIPAA amendments, the GLBA and DPPA amendments were also struck from the bill to avoid any concerns for conflict between the different regulations.
These amendments provide more clarity on the limitations surrounding a consumer’s private right of action. The bill now explicitly states,
“The cause of action established by this section [1798.150] shall only apply to violations as defined in subdivision (a) [breaches] which classifies unauthorized access to unredacted and/or non-encrypted information, the new amendment clarifies that civil actions shall not be based on violations of any other section of this title.” The range of compensation varies from $100-$750, depending on the damages.
Consumers are no longer required to notify the Attorney General before pursing civil action, but they must still notify the business and allow them up to 30 days to rectify the violation.
No amendments have been made to the consumer’s responsibility of notifying the Attorney General prior to pursuing a civil action suit.
Local Preemptions Prior to 2020
Previously the bill allowed for local laws to regulate the collection and sale of consumers personal information, but now it clearly states, “This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.” (Section 1798.180).
This means that no aspects of the law may be implemented by local agencies until its effective date in 2020. These amendments prevent the possibility of confusion between local and state efforts of addressing privacy requirements.
Attorney General Enforcement Actions
The revised bill has deferred the state Attorney General’s ability to carry out enforcement actions till July 1, 2020 – six months after the bill goes into effect. Furthermore, this revision has limited the monetary amount the Attorney General may recover on behalf of a consumer to a max of $7,500 for each intentional violation.
In addition to pursuing civil action, the Attorney General can also pursue a class suit on behalf of the state of California for violations to the regulation, which could result in a fine of up to $2,500 for each unintentional violation, or up to $7,500 for each intentional violation, if the business fails to cure the alleged violation within 30 days. There has been no further guidance as to which violations would invoke the max fine of $7,500.
It should be expected from these amendments that the Attorney General will be releasing guidance on how it will be enforcing the regulation. However, questions remain as to whether said guidance will come before or after the CaCPA’s implementation date, due to the amendments’ new 6-month enforcement window.
Is there a missing amendment?
While many of the amendments have focused on fixing technical errors and clarifying some of the gray areas in the previous text, many privacy advocates still believe that there is more work to be done. One of the most requested changes, which concerned the consumer’s right to opt out of the collection and sale of their information, was not addressed in these amendments. Consumer privacy advocates continue to fight for a change that would allow the right to opt-in, rather than opt out. An opt-in would keep businesses from using incentives that may prevent an individual from opting out.
Another concern surrounding the right to opt out is that criminals may use the opt-out as a way to dodge law enforcement agencies. This is because law enforcement agencies often rely on the data services provided by private vendors to conduct and monitor public safety. The right to opt out will enable individuals conducting criminal activities to potentially go unnoticed. Thus, greater attention should be made around how the opt-out requirement may impact these methods of monitoring and data sharing practices for the law enforcement community.
The CaCPA caused a commotion as it broke new ground in the world of consumer privacy in the U.S. (and its speedy approval). Many see California as a pioneer in privacy legislation in the U.S. and believe it will set off a chain reaction of new regulations and laws in other states. But in the meantime, the requirements and changes found within the CaCPA can serve as a glimpse of what is to come and help organizations across the U.S. prepare, whether they are required to comply or not. Those preparing for CaCPA compliance must keep in mind that the original bill was ambiguous in a number of areas and may result in additional revisions. Therefore, it is expected that the CaCPA will continue to evolve and the Attorney General may come out with more specific guidelines regarding implementation.
As new revisions are made to this important regulation, we will continue to provide more insights and updates. Stay tuned!
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.