California AG backs changes to California Consumer Privacy Act

Published on

Touted as strengthening the California Consumer Privacy Act (CCPA), which was enacted in June of 2018 with an effective date of January 1, 2020, California Attorney General Xavier Becerra is backing two new bills that would impose additional requirements on California businesses while also eliminating their right to cure problems or seek guidance from the Attorney General’s office regarding compliance with the CCPA. AB 1130, if passed, would expand the types of information covered by the data breach notification requirements, while SB 561 would eliminate the 30-day cure period and the right of businesses to seek an advisory opinion from the Attorney General’s office on how to comply with the law. Taken together these two laws indicate that the California legislature is under pressure to shift some burdens of the law onto businesses.

At the same time, though, business interests are working to create fixes to the law that will preserve the intent to increase consumer privacy without creating additional burdens on California businesses. AB 1146, sponsored by the California New Car Dealers Association, recognizes that it is vital that businesses share information with each other for purposes such as public safety. The bill would create a carve-out from the CCPA for franchised dealers that will allow them to share information with manufacturers regarding warranty or recall repairs. If the bill passes, dealers will be able to continue their practice of sharing customer ownership information with manufacturers to ensure that customers get the best information possible about warranty and recall repairs.

Background of the CCPA

In June of 2018, on the last day to qualify ballot measures for the 2018 ballot, California adopted AB 375, the strongest privacy law in the nation. The new law is modeled somewhat on the European Union General Data Protection Regulation (GDPR), which famously purports to give customers the “right to be forgotten,” and gives consumers several new rights, aiming to bring more control and transparency to the murky trade and use of people's personal data. It also, for the first time, provides consumers with the ability to sue companies that mishandle their data without ever having to prove harm due to the misuse.

Attorney General Opinions

SB 561 eliminates the option provided to businesses and other third parties under Section 1798.155(a) to seek the opinion of the Attorney General on how to comply with the CCPA. The bill would instead require the Attorney General to publish general public guidance about the law. While this provision did not directly affect businesses’ potential liability under the law, it would greatly reduce their ability to seek advice that could form the basis for future defenses or otherwise establish guidance related to difficult compliance issues presented by the law.

30-Day Cure Period

SB 561 also deletes the 30-day cure period currently provided for under the law. Section 1798.155(b) allows businesses 30 days from the date of receiving notification of an alleged noncompliance to cure the alleged violations before a civil action could be commenced. The CCPA Bill would allow for enforcement under the CCPA immediately, without prior notice. The legislature had previously amended the CCPA with SB 1121 by allowing consumers to bring lawsuits without providing notice for their actual damages. This bill would eliminate the 30 day right to cure entirely, leaving businesses open to statutory penalties with no option to cure the problem to avoid liability.

Date Breach Notification Law Amendment

AB 1130 would expand the types of data that are covered by California existing breach notification law. Under current law, notification obligations are only triggered for breaches involving “personal information,” which is currently defined as a first name or initial and last name in conjunction with a social security number, driver’s license number, California identification card number, account number or financial card number in combination with a password, medical information, health insurance information, or information collected through an automated license plate recognition system. This bill would expand the information to include other types of government issued identification numbers and biometric data. For dealers this addition is unlikely to present major compliance issues, as most transactions are conducted using the government identification numbers currently covered by the law. Nonetheless, this expansion indicates that privacy and data restrictions may become even more restrictive as the state moves towards the January 1, 2020 implementation date and beyond.