Last week, I had the pleasure of speaking at the 11th Annual Northern Kentucky University Cybersecurity Symposium. This year, over three hundred attendees ranging from IT and security professionals, to corporate executives and attorneys, gathered for workshops and presentations relating to nascent privacy and security issues. During my presentation, “So Goes California, So Goes the Nation,” I discussed the California Consumer Privacy Act (“CCPA”), and the California legislature’s recent amendments to the CCPA (“the Amendments”), which were signed into law by Governor Brown on Sept. 28, 2018.
As I explained during my presentation, the CCPA was fast-tracked through the California legislature in an attempt to preempt a state-wide voter initiative that would enact regulations on California businesses that collect personal information, but would have been immune from amendment absent a second state-wide voter initiative. Because the California legislature drafted and passed the CCPA in a week, a number of businesses have identified vague and confusing aspects of the law. Therefore, just eight weeks after passing the CCPA, the California legislature has already passed the first set of Amendments. Here are the top takeaways from my talk at NKU:
- Private Right of Action & Civil Penalties: The CCPA creates a private right of action for a California citizen only when a company has suffered a data breach that is the result of the company’s failure to implement reasonable security measures. The CCPA requires the individual to contact the company prior to initiating an action, and allows the company thirty (30) days to cure the violation. The California Attorney General can also issue civil penalties of up to $2,500 per violation of the CCPA, and up to $7,500 per each intentional violation.
- Role of California Attorney General: The Amendments clarified that although the CCPA takes effect on Jan. 1, 2020, the California Attorney General can wait until July 1, 2020 to promulgate final regulations. Further, the California AG cannot file enforcement actions under the CCPA until the earlier of July 1, 2020, or six months after the date of the final regulations. Accordingly, businesses regulated under the CCPA will have limited time to align their compliance programs before potential enforcement. Additionally, the original CCPA required any private right of action suits or class actions to be sent to the California AG’s office to determine whether a potential violation existed. The Amendments removed this requirement to avoid forcing the AG’s office into the role of a litigation gatekeeper.
- Federal Privacy Regulations Exemptions: Originally, the CCPA contained exemptions for compliance for information already subject to federal privacy laws, such as Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act or Health Information Portability and Accountability Act, whenever the CCPA conflicted with a requirement of the federal law. Now, under the amendments, that exemption simply applies across the board regardless of whether or not the CCPA conflicts with these laws. However, companies need to be aware that being subject to a federal regulation does not exempt all data being collected from the new CCPA. If a business collects data outside the federal regulations, then that data will still be regulated by the CCPA.
Since we still have over 14 months before the Jan. 1, 2020 operational date, businesses can likely expect to see more calls for amendments in the interim. Indeed, the CCPA is a reminder that data privacy protection initiatives are spreading across the United States and around the world. At the federal level alone, several legislative proposals are being considered to increase protection for consumer privacy, including the Consumer Privacy Protection Act and the Data Security and Breach Notification Act.
Accordingly, businesses should strategize approaches to responding to consumer requests and complying with both the imminent CCPA, but also the growing tide of consumer privacy initiatives on the horizon. As I told the NKU attendees, the time before these laws become operative is a great opportunity for businesses of all shapes and sizes to think proactively about the data they collect, and how they want to use that data to further their business interests.