Update: 2018 California Consumer Privacy Act is Amended

To great fanfare, earlier this summer, the California General Assembly passed the California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”). See here. The CCPA has caused quite a stir among San Diego and California businesses and there have been intense efforts over the summer to scale back and delay some of the provisions. Some of those efforts were successful, although it is predicted that more efforts will be made. See SB 1121.

Here is a rundown on the changes recently passed. Governor Brown is expected to sign the new legislation.

San Diego Consumer Protection: Changes Since June 2018

Effective Date Pushed Back for AG Actions

The effective date of the CCPA was and remains January 1, 2020. However, the amended statute effectively extends the effective date to July 1, 2020 at the earliest, but probably later. The revised statute gives the California Attorney General until July 1, 2020 to promulgate and publish implementation rules. The Attorney General is prohibited from enforcing the Act until either that date or “six months after” the date the Attorney General publishes the regulations. Thus, likely, the effective date of the Act will be late 2020 or 2021.

Effective Date for Private Actions Still January 1, 2020

Note that the amended legislation does not push back the effective date for private rights of action that might be filed by consumers. See below.

Slight Change to Civil Consumer Private Lawsuits

The original Act and the amended Act give consumers the right to bring private lawsuits if:

• There is a breach and
• The consumer’s nonencrypted or nonredacted personal information is
• Subject to an unauthorized access and exfiltration, theft, or disclosure
• Caused by violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect.

Consumers may recover actual damages for the data breach/theft or statutory damages between $100-750 per customer and per data loss, whichever is greater.

The original Act required that plaintiffs send notice to the Attorney General giving the AG the right to intervene if desired after a six-month waiting period. However, that notice provision and the waiting period have been removed.

No Change to the “Businesses” Covered

In good news for smaller businesses, the amendments did not modify the definition of the businesses that are subject to the provisions of the CCPA. The businesses covered remain those that collect personally identifiable information and

• Have annual gross revenues of $25 million or more or
• Buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices or
• Where 50% or more of annual revenues are derived from selling personal information

Contact San Diego Corporate Law

For more information, contact Michael Leonard of San Diego Corporate Law. Mr. Leonard has the legal skills and experience to keep you and your business abreast of changes to California law.  Mr. Leonard provides legal services related to business law, contracts, corporate entity formations and maintenance, private securities offerings/sales, the sale/purchase of a business and for mergers and acquisitions. To schedule a consultation, contact Mr. Leonard via email or call (858) 483-9200.

You Might Also Like:

Reasons for Caution: Employee-Operated Social Media Accounts

California Business Law: Retroactivity of Court Decisions and Dynamex

Keeping Biometric Data Private and Secure

Data Breaches and Data Protection for San Diego Businesses

Can I Use GPS or Phone Apps to Track My San Diego Worker’s Movements?