New Privacy Obligations From California Consumer Privacy Act Proposed Amendments
For those not tracking the evolution of California’s Consumer Privacy Act (CaCPA), we’ve got some updates for you! While most are just familiarizing themselves with CaCPA’s original requirements, a new senate bill (SB-561) was just introduced last week by two California Senators with intention to further strengthen the rights of Californians. And while changes to the bill are already hardly considered uncommon, the amendments could raise the stakes for organizations who are already concerned with the Acts expectations.
Notably, SB-561 promulgates the following modifications:
- Removal of the 30-day cure period after an alleged violation
- Obligate organizations to follow State AG published guidance rather than seek its opinion
- Permit consumers to pursue private right of action for any and all violations to the CaCPA
The Specifics:
Below we will outline the original text, proposed legislation, and what it could mean to the organizations if the new bill is passed.
CCPA Section | Original Text | Proposed Change | What this means |
1798.150(a) |
Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following |
Any consumer whose rights under this title are violated, or whose nonencrypted or nonredacted personal information. |
Different from the original applicability of nonencrypted personal information, this change would permit consumers to pursue private right of action for any violation under the CaCPA. |
1798.150(c) |
The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law. This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitution |
Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law. This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitution |
Removing classification for a violation strictly based on subdivision (a) [see row above], this change would lay the groundwork for providing private right to action for all violations under the Act; and not just based on a breach of unencrypted data. |
1798.155(a) |
Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title. |
The Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the provisions of this title. |
Eliminating a potential communication bottleneck, this change shifts responsibilities for interpreting and applying practices based on guidance from the AG to the businesses. This change reduces the amount of direct communication between the AG and businesses, and forces businesses to comply with general guidance rather than perpetually seeking advice. |
1798.155(b) |
A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General |
Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. |
Originally considered a safety net for organizations, the 30-day cure period permitted organizations to fix problems during this time period or face prosecution. The proposed change removes this cure period while at the same time eliminating verbiage that would hinder an individual’s private right to action. |
What’s Next
While this isn’t the first round of revisions (see SB-1121), it very is common for pioneering legislation to go through multiple rounds of review and adjustment throughout its life. And while these and future amendments can add confusion around compliance planning and preparation, the amendments in no way hinder an organizations ability to take early and important steps for preparation. In fact, no major changes have occurred to the Act’s core provisions, including rights to access, portability, and deletion, privacy notices, do not sell my personal information protocols, and requirements around vendor management. With that said, total compliance with the Act will be challenging for most, but certainly not impossible – get a head start by assessing your risks to proactively meet the new requirements before the year gets away.
About KEVIN KISH
Kevin Kish is a Director of Privacy Compliance at Schellman. With 10 years of industry experience, Kevin has a strong history of implementing, maintaining, and assessing global information security and privacy requirements, including ISO 27001, HITRUST, Privacy Shield, and the General Data Protection Regulation (GDPR). As an industry advocate, he is passionate about researching and writing on the concepts of adaptable data privacy and providing education to clients on the risks, challenges, and best practices around data privacy legislation. He holds several privacy certifications from the International Association of Privacy Professionals (IAPP), including CIPP/US, CIPP/E, and CIPM.