This week we continue our series of articles on the California Consumer Privacy Act of 2018. One of the biggest challenges for all of us who are analyzing this law is that even before its 2020 effective date, it’s still a work in progress. This week, legislation was introduced by California State Senator Hannah-Beth Jackson to amend the CCPA.
We’ve been discussing the broad nature of this privacy law and answering some general questions, including What is it? Who does it apply to? What protections are included for consumers? How does it affect businesses? What rights do consumers have regarding their personal information? What happens if there is a violation? This series is a follow up to our earlier post on the CCPA.
In Part 1 of this series, we discussed the purpose of the CCPA, the types of businesses impacted, and the rights of consumers regarding their personal information. In Part 2, we reviewed consumer requests and businesses obligations regarding data collection, the categories and specific pieces of personal information the business has collected, and how the categories of personal information shall be used.
This week’s proposed amendments (Senate Bill 561) come on the heels of six recent public hearings at which the Attorney General’s office listened as members of the public, advocacy groups, lawyers, trade and business organizations, and interested parties provided their opinions, concerns and suggestions for clarification of the CCPA.
Senate Bill 561 proposes several significant changes, including expanding the private right of action:
1) It seeks to amend Section 1798.150 (a)(1) to expand the public’s right to institute a civil action to include any consumer whose rights under this title are violated, not just those consumers whose non-encrypted or non-redacted personal information was subject to unauthorized access and exfiltration, theft, or disclosure;
2) It eliminates the ability of businesses or third parties to seek an opinion of the Attorney General, and it adds that the Attorney General may provide businesses and others with general guidance on compliance with the law amending Section 1798.155(a); and
3) It eliminates the 30-day cure period that would have given a business 30 days after notification of a violation to cure the alleged noncompliance amending Section 1798,155 (b).
So, is the CCPA still a work in progress? It definitely appears that it is. As we contemplate additional amendments such as the one discussed here, we await additional guidance and regulations to interpret the “final” CCPA. Just like the latest technologies that fascinate us and are constantly evolving, enacting a comprehensive privacy law appears to be an example of a living document that might also evolve. The law typically lags behind in terms of catching up to technology, but California appears to want to make the CCPA as forward thinking as possible prior to its effective date. Making and anticipating changes to the law makes it more of a challenge to fully operationalize the CCPA, but California is on the cutting edge of privacy law in the United States, so being ready to do so is critical.
Date: March 5, 2019
Source: Data Privacy+Security Insider