We have previously reported on the anticipated impact of the new California Privacy Law—the California Consumer Privacy Act (“the Act”) [view related post].
The first amendment to the Act, (most likely be the first of many amendments) recently obtained approval from state lawmakers and is on its way to Governor Jerry Brown for signature.
The amendment is focused on clarifying language and fixing drafting errors and inconsistencies in the law, but also includes substantive changes including:
- Extending the deadline imposed upon the Attorney General to develop and publish rules related to implementation of the Act until July 1, 2020;
- Prohibiting the Attorney General from enforcing the Act until either July 1, 2020, or six months after the regulations have been published, whichever occurs first;
- Removes the requirement that a consumer must notify the Attorney General within 30 days of filing a civil action and wait six months to allow the Attorney General to file suit for the violation;
- A consumer can only bring suit for a business’ failure to “implement and maintain reasonable security procedures and practices” that results in a breach and not for any other violations of the Act;
- Civil penalties are limited to $2,500 for each violation or up to $7500 for intentional violations;
- Revised the definition of personal information including IP address, geolocation information and web browsing history only if the data can be linked to a particular household or consumer;
- Exempts entities covered by HIPAA, GLBA, DPPA, and California’s Confidentiality of Medical Information Act and Financial Information Privacy Act.
These substantive changes will be helpful to companies in determining compliance, but it is expected that more amendments are forthcoming when the legislature reconvenes in January. We will update you as more amendments are enacted.