Purvi G. Patel, Nathan D. Taylor, and Alexandra E. Laks
Privacy + Data Security, Consumer Litigation, Class Actions, and Consumer Products
Late at night on August 31, 2018 before adjourning for the year, the California Legislature approved SB 1121, sending a narrow package of amendments to the California Consumer Privacy Act (the “Act”) to the Governor for review by September 30, 2018. The Legislature’s similar last-minute work in June to pass the Act and supplant the controversial privacy ballot initiative gave way to another even later-hour, constantly changing drama: a tussle to amend the Act. In the two months since the Act’s passage, businesses, industry and consumer groups, and the California Attorney General (AG) have all vigorously advocated for their preferred “fixes” to the Act. Despite being presented with various potential amendments, the Legislature adopted only a few.
For businesses facing the daunting task of complying with the Act’s numerous obligations by January 1, 2020, SB 1121 provides far more limited relief than many had hoped. In fact, many of the amendments are merely “clean up,” correcting typographical and other drafting errors resulting from the Act’s swift passage. There are, however, several business-friendly amendments, which are a small, but substantive, step in the right direction.
All businesses will benefit from the amendment clarifying that the Act’s private right of action is limited to actions arising from certain data security events (as opposed to violations of the Act’s privacy obligations). In addition, SB 1121 amends the Act to provide the AG with a six-month extension to write implementing regulations (i.e., until July 1, 2020) and also bars the AG from bringing an enforcement action until the earlier of July 1, 2020 or six months after the AG has published final regulations. Certain businesses, including financial institutions and healthcare and pharmaceutical companies in particular, will benefit from SB 1121’s amendments that expand and strengthen exceptions to the Act.
Even so, SB 1121 fails to address many of the industry groups’ highest priorities and critical “fixes.” For example, SB 1121 does not narrow the definition of “consumer,” specify the extent to which the Act applies in the context of vendor relationships, or clarify whether the Act requires a just-in-time notice to consumers. When the Legislature returns to session in January 2019, advocacy efforts will also return in full force. Industry groups will redouble their efforts to bring order and clarity through legislative amendment to the Act which, despite SB 1121, continues to include ambiguous, inconsistent, and often overbroad obligations.
Below is an overview of key substantive amendments that SB 1121 makes to the Act, which we discuss in further detail in this alert:
Clarifying and Narrowing the Scope of the Private Right of Action
The Act’s consumer private right of action provision included a number of ambiguities that raised questions regarding the scope of the consumer’s right to sue. Section 1798.150, as originally enacted, allows a consumer to sue if non-encrypted or non-redacted personal information (as defined in the California safeguards law) “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of [a] violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Section 1798.150 also includes repeated references to violations of “this title” (as distinct from violations of the duty to safeguard information). As a result, the “right to sue” could be read either narrowly (e.g., consumer lawsuits may only arise out of the specified data security events) or broadly (e.g., consumer lawsuits may also include a violation of any of the Act’s privacy obligations).
In arguably its most critical substantive amendment, SB 1121 clarifies that the right to sue is limited to certain data security events and not to violations of the Act’s privacy obligations. Specifically, SB 1121 amends Section 1798.150 to state that the private right of action applies “only to violations as defined in [Section 1798.150] . . . and shall not be based on violations of any other section of this title.”
Expanding HIPAA Exception and Adding a Clinical Trial Exception
SB 1121 amends the Act’s HIPAA exception to expand its scope. SB 1121 extends the HIPAA exception to protected health information that is collected by a “business associate” (and not just a “covered entity”). SB 1121 also provides that the Act does not apply to a health care provider (governed by the Confidentiality of Medical Information Act) or covered entity (under HIPAA) with respect to patient information, if the information is maintained in the same manner as medical information subject to the Confidentiality of Medical Information Act or protected health information subject to HIPAA.
SB 1121 also adds a new exception for certain clinical trial information. Specifically, SB 1121 provides that the Act does not apply to “[i]nformation collected as part of a clinical trial subject to . . . the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.”
Expanding GLBA and DPPA Exceptions
SB 1121 amends the Act’s GLBA and DPPA exceptions to remove language that would have limited the scope of those exceptions. As originally enacted, the Act did not apply to “personal information collected, processed, sold, or disclosed pursuant to” the GLBA or DPPA “if it is in conflict with” either law. SB 1121 removes from each exception the phrase “if it is in conflict with” the GLBA or DPPA. As a result, these exceptions are now similar to the HIPAA exception and provide that the Act does not apply to information collected, processed, sold, or disclosed “pursuant to” the GLBA or DPPA. In addition, SB 1121 further expands the GLBA exception to cover information collected, processed, sold, or disclosed pursuant to the state’s parallel financial privacy law, the California Financial Information Privacy Act (SB1).
SB 1121, however, slightly tempers this positive development by adding a new limitation to these exceptions. As amended, the GLBA/SB1 and DPPA exceptions will not apply with respect to the Act’s private right of action. That is, notwithstanding the GLBA/SB1 and DPPA exceptions, a consumer would still have a right under the Act to file suit relating to certain data security events that, presumably, involve information subject to the GLBA, SB1, or DPPA.
SB 1121 also includes several substantive amendments relating to the California AG’s role in enforcing the Act. These enforcement-related amendments are a mixed bag. The amendments address some (but luckily not all) of the issues raised by the AG in his August 22, 2018 letter to California legislative leaders.
Eliminating Consumer AG Notice Requirement. SB 1121 amends the Act to remove the obligation that a consumer who files suit against a business must notify the AG within 30 days of filing the action and give the AG an opportunity to prosecute or tell the consumer not to proceed with the action. While this technically eliminates a procedural hurdle to the private right of action, it is unlikely to have had much practical effect, particularly given the AG’s views of his oversight role with respect to consumer litigation (or lack thereof). The AG’s letter to the Legislature strongly indicated that the AG had no interest in playing a gatekeeping function over consumer litigation and indicated instead that courts should decide whether a suit has merit.
Clarifying Remedies in AG Enforcement Actions. SB 1121 clarifies the remedies that the AG may seek in an enforcement action. Specifically, SB 1121 amends the Act to remove references to penalties available to the AG under the Unfair Competition Law and to clarify that a business that violates the Act will be subject to an injunction and liable for a civil penalty, per violation, of either $2,500 for a non-intentional violation or $7,500 for an intentional violation.
Extending AG Rulewriting Deadline and Adding an AG Enforcement Delay. Given the breadth of the Act and the complexity of the processes that businesses must put in place to comply with its provisions, businesses and industry groups consistently requested that the Legislature delay the Act’s effective date, at least until 12 months after the AG completed rulemaking. SB 1121, however, does not go that far. Nor does it alleviate the challenges businesses will face in getting compliance-ready without the benefit of final regulations.
SB 1121 amends the Act to extend the general deadline within which the AG is directed to adopt implementing regulations from January 1, 2020 to July 1, 2020, addressing the AG’s stated need for more time to do so. These amendments, however, potentially create new drafting issues, as several rulewriting provisions continue to require the AG to issue rules within one year of passage of the Act (i.e., June 2019).
Importantly, while the Act will continue to be operative on January 1, 2020, SB 1121 amends the Act to delay the AG’s authority to bring enforcement actions until July 1, 2020, or six months after the AG issues final regulations, whichever is sooner. While delayed AG enforcement is a welcome change, the extension of the AG’s rulewriting deadline and the delay in enforcement creates uncertainty as to the timing of potential AG enforcement actions. If the AG does not issue final regulations until January 1, 2020 or later, the AG will not be permitted to bring an enforcement action until July 1, 2020. If the AG issues final regulations before January 1, 2020, however, the AG theoretically could bring an enforcement action between January 1, 2020 and June 30, 2020, depending on the exact date of the final regulations. And if the AG waits until July 1, 2020 to issue final regulations, it would leave businesses with no time to comply with those regulations before the AG theoretically could seek to enforce the relevant requirements.
The uncertainty in timing and lack of a clear buffer between the deadline for final regulations and enforcement are problematic. Ultimately, businesses should not wait until final regulations are issued to get compliance-ready or count on July 1, 2020 as the “go” date for AG enforcement.
SB 1121 takes several steps towards fixing technical errors in the California Consumer Privacy Act and addressing several substantive issues raised by businesses and industry groups. But the revisions are far from an overhaul. The Act’s “individual rights” and broad applicability remain entirely intact. Though there will be another push to amend the Act when the Legislature reconvenes in January 2019, the Act’s core provisions are unlikely to change. As a result, businesses will need to begin or continue their compliance efforts, including developing processes to comply with the Act’s many requirements.
 The Governor has three choices: (1) sign the bill into law; (2) allow the bill to become law without his signature; or (3) veto the bill. See https://www.senate.ca.gov/legislativeprocess.
 See, e.g., Letter to Hon. Bill Dodd, from California Chamber of Commerce, et al. (Aug. 6, 2018), available at https://dlbjbjzgnk95t.cloudfront.net/1072000/1072336/sb%201121%20final%20author%20coalition%20letter%20(2).8.7.2018.pdf; Letter to Hon. Ed Chau and Hon. Robert M. Hertzberg, from Xavier Becerra, Attorney General, Aug. 22, 2018, available at https://iapp.org/media/pdf/resource_center/AG-Ltr-CaCPA-8-22-2018.pdf (“AG Letter”).
 Cal. Civ. Code § 1798.150(c), as amended. Unless otherwise specified, all citations are to Section 3, Title 1.81.5 of the Act, added to Part 4 of Division 3 of the California Civil Code.
 §§ 1798.185(a) and (c), as amended.
 See §§ 1798.145(c), (e), and (f).
 § 1798.150(a).
 See, e.g., § 1798.150(b) (consumer must provide 30 days’ written notice “identifying the specific provisions of this title the consumer alleges have been or are being violated” but need not provide notice if pursuing actual damages “suffered as a result of the alleged violations of this title”) (emphasis added).
 § 1798.150(c), as amended. While this amendment largely puts to rest the debate as to the scope of the private right of action, the provision, even as amended, continues to include drafting issues with its repeated references to “violations of this title.”
 § 1798.145(c)(A), as amended.
 See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html (discussing definition of “business associate”).
 § 1798.145(c)(B), as amended.
 § 1798.145(c)(C), as amended.
 §§ 1798.145(e) and (f).
 §§ 1798.145(e) and (f), as amended.
 § 1798.145(e).
 See AG Letter.
 See § 1798.150(b), in original and as amended.
 AG Letter at 2.
 Bus. & Prof. Code § 17206.
 § 1798.155(b), as amended.
 § 1798.185(a), as amended.
 AG Letter at 2.
 See §§ 1798.185(a)(3), (6), and (7), as amended.
 The only provision of the Act that is operative earlier than January 1, 2020 is the “local preemption” provision at Section 1798.180 (i.e., the provision that states that the Act supersedes and preempts laws adopted by local entities regarding the collection and sale of a consumer’s personal information by a business). Section 1798.180 is operative on the date SB 1121 becomes effective. § 1798.199.
 § 1798.185(c), as amended.
©1996-2019 Morrison & Foerster LLP. All rights reserved.