Will You Be Affected By The California Consumer Privacy Act?

In June of 2018, California passed the Consumer Privacy Act (CCPA), a law with similar rules to the European GDPR, which is set to be enforced on January 1 of 2020. However, on September 23, the California government approved an amendment (labelled SB 1121) to modify important areas of the act and to improve consumer privacy and security rights. The CCPA and the upcoming changes are not only expected to affect Californian organizations, but also ones that conduct business in the state, meaning that the U.S. market will most likely be affected. Below is a list of changes that are expected to occur as a result of the amendments:

1. The definition of personal information has been clarified

   The CCPA gives consumers the right to know which specific pieces of personal information businesses gather and to whom it is sold or disclosed. Consumers are also free to opt-out of the selling of their information, without the fear of being discriminated against. But, due to the fact that the CCPA was passed through the senate quickly, some things were not made completely clear. Consequently, the amendment clarifies that personal information includes information that identifies, describes and can be related or connected to a specific user or household.

2. The CCPA allows the right to private action

   Unlike the Health Insurance Portability Act (HIPAA) privacy rule, CCPA permits California residents to take legal action against companies that are hacked or breached due to their failure to enforce the necessary security measures. In the original CCPA, consumers were obliged to notify the attorney general within 30 days of taking legal action. This is no longer the case.

3. Data covered by other laws is exempt

   The amendment has clarified that data already governed by other privacy laws and legislation is exempt even if they contradict the CCPA. Such legislations include HIPAA, the Gramm-Leach-Bliley Act (GLBA), as well as the Driver's Privacy Protection Act (DPPA). This means that HIPAA covered entities and business associates participating in clinical trials are also exempt.

   Because there is over a year remaining for the CCPA to be enforced, it is expected that more amendments will be introduced, discussed, drafted and published to cater for various consumer and industry groups.