New Privacy Obligations from CCPA’s Proposed Amendments

March 11, 2019 Kevin Kish

For those not tracking the evolution of California’s Consumer Privacy Act (CCPA), we’ve got some updates for you!  While most are just familiarizing themselves with CCPA’s original requirements, a new senate bill (SB-561) was just introduced last week by two California Senators with intention to further strengthen the rights of Californians.  And while changes to the bill are already hardly considered uncommon, the amendments could raise the stakes for organizations who are already concerned with the Acts expectations. 

Notably, SB-561 promulgates the following modifications:

  • Removal of the 30-day cure period after an alleged violation
  • Obligate organizations to follow State AG published guidance rather than seek its opinion
  • Permit consumers to pursue private right of action for any and all violations to the CCPA

 

The Specifics:

Below we will outline the original text, proposed legislation, and what it could mean to the organizations if the new bill is passed.

CCPA Section

Original Text

Proposed Change

What this means

1798.150(a)

Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following

Any consumer whose rights under this title are violated, or whose nonencrypted or nonredacted personal information.

Different from the original applicability of nonencrypted personal information, this change would permit consumers to pursue private right of action for any violation under the CCPA.

1798.150(c)

The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law. This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitution

Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law. This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitution

Removing classification for a violation strictly based on subdivision (a) [see row above], this change would lay the groundwork for providing private right to action for all violations under the Act; and not just based on a breach of unencrypted data.

1798.155(a)

Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.

The Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the provisions of this title.

Eliminating a potential communication bottleneck, this change shifts responsibilities for interpreting and applying practices based on guidance from the AG to the businesses.  This change reduces the amount of direct communication between the AG and businesses, and forces businesses to comply with general guidance rather than perpetually seeking advice.

1798.155(b)

A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General

Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.

Originally considered a safety net for organizations, the 30-day cure period permitted organizations to fix problems during this time period or face prosecution. 

The proposed change removes this cure period while at the same time eliminating verbiage that would hinder an individual’s private right to action.

 

What’s Next

While this isn’t the first round of revisions (see SB-1121), it very is common for pioneering legislation to go through multiple rounds of review and adjustment throughout its life.  And while these and future amendments can add confusion around compliance planning and preparation, the amendments in no way hinder an organizations ability to take early and important steps for preparation.  In fact, no major changes have occurred to the Act’s core provisions, including rights to access, portability, and deletion, privacy notices, do not sell my personal information protocols, and requirements around vendor management.  With that said, total compliance with the Act will be challenging for most, but certainly not impossible – get a head start by assessing your risks to proactively meet the new requirements before the year gets away.

 

About the Author

Kevin Kish

Kevin Kish is a Privacy Technical Lead with Schellman & Company, LLC. With nearly 8 years industry experience, he has a strong history of implementing, maintaining, and assessing global information security and privacy requirements, including ISO 27001, HITRUST, Privacy Shield and the General Data Protection Regulation. As an industry advocate, he is passionate about researching and writing on the fundamentals and concepts of sustainable data privacy; and, providing education to clients on the risks, challenges, and best practices around data privacy legislation. He holds several privacy designations from the international association of privacy professionals, including CIPP/US, CIPP/E, and CIPM.

More Content by Kevin Kish
Previous Article
If You’re Not First, You’re Last: Risks of Delaying CCPA Compliance
If You’re Not First, You’re Last: Risks of Delaying CCPA Compliance

Introduction — by Lindsey Ullian, Threat Stack Compliance Manager

Next Video
CaCPA - Wait and See?
CaCPA - Wait and See?

Effective date is not until 2020 - when should you pay attention?