California Passes Amendments to Consumer Privacy Act

California Governor Brown recently signed into law SB 1121, which amends the California Consumer Privacy Act of 2018 to provide much-needed relief to retailers and other businesses that collect consumer information. The amendments take effect immediately.

The California Retailers Association (CRA) worked successfully with other business leaders as part of the Privacy Coalition to secure passage and signature of SB 1121, and will continue to work on a more comprehensive clean-up bill in 2019.

As we previously reported, the Act grants consumers various rights with regard to their personal information held by businesses, including:

• The right to request that a business provide it with specific information the business has collected about them, including categories of information sold, and third parties to whom information is sold.
• The right to request deletion of personal information the business has collected about the consumer. The business must comply unless one of several exceptions apply, including that the information is necessary to perform a specific business function.
• The right to opt out of sale of the consumer’s personal information.
• Affirmative opt in for sale of minors’ information.

The Act required disclosure of these rights in the company’s online privacy policy. The amendments clarify that disclosure can be “in a form that is reasonably accessible to consumers.”

The Act provided for general enforcement by the Attorney General, but created a private right of action for data breaches. The amendments clarify that this private right of action only applies to data breaches.  The Act provides for recovery of the greater of actual damages, or between $100 and $750 in statutory damages, to be determined by the court based on a number of factors.  Consumers can file suit, either as an individual or on a class-wide basis, only after providing the business with notice and 30 days to cure the breach – raising the issue of what would be an acceptable cure.

The Act provided that a business that violates its provisions, and fails to cure those violations within 30 days, is liable in an action by the Attorney General for a civil penalty under California’s unfair competition law. The amendments remove references to the unfair competition law, and limit the civil penalty to be assessed in an Attorney General action to not more than $2,500 per violation, or $7,500 per each intentional violation, and specify that an injunction is also available.

Unlike most data privacy and security statues, the Act carves out an exception for small businesses.  It only applies to a business if it (1) buys, sells or shares personal information of 50,000 consumers or devices, (2) has gross revenue of greater than $25 million, or (3) derives 50 percent of its annual revenue from sharing personal information.

The amendments remove the Attorney General’s “gatekeeper” function, which gave the Attorney General the first right of refusal to file an action in the event of a data breach. This change was made after the Attorney General declared its intention not to stand in the way of consumer lawsuits.

The amendments delay enforcement by six months to July 1, 2020, or six months after the regulations are finalized, whichever is sooner. The private right of action provisions for a data breach are not delayed, and still go into effect January 1, 2020.

For further information about what the Act (as amended) requires, see the Bryan Cave Leighton Paisner California Consumer Privacy Act (“CCPA”) Practical Guide.