Amendments to California’s Privacy Legislation Address, Among Other Things, “Personal Information” and Consumers’ Private Right of Action
On August 31, California Governor Jerry Brown approved several amendments to the California Consumer Privacy Act (CCPA), which clear up some of the original legislation’s ambiguities, while leaving other issues unresolved.
Many anticipate that this is just the first round of changes to the legislation. Still, the initial amendments are telling in that they touch upon two key aspects of the CCPA: (1) what constitutes “personal information” under the CCPA; and (2) the conditions and manner in which consumers can exercise their “private right of action.”
The amended legislation retains the eleven data elements initially designated as “personal information” but indicates that these data elements are no longer considered personal information by default. Rather, the CCPA will apply only in instances when such information “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” This qualification signals a slight easing of the burden placed on businesses.
Private Right of Action
The amended version of the CCPA dispenses with the requirement that consumers must provide 30 days’ notice to the California Attorney General’s Office before bringing a private right of action for injuries (including non-monetary injuries) resulting from data breaches. It does, however, retain the requirement that before initiating a private action, consumers must provide 30 days’ written notice to the offending business, detailing the specific provisions of the CCPA that business allegedly violated. Once notified, the business then has 30 days to address the alleged violations, during which time the business can request guidance from the Attorney General on how to “cure” the alleged violation. Importantly, the amended legislation specifies that a consumers’ private right of action only applies to data breaches, to the exclusion of other CCPA provisions.
The initial amendments to the CCPA are likely indicative of legislative battles to come, leading up to the CCPA’s effective date, January 1, 2020. To learn more, read our recent client advisory (Amendments Draw Future Battle Lines Over Landmark California Privacy Legislation) about what these amendments address with respect to what constitutes personal information, a consumer’s private right of action, as well as the compliance requirements for businesses in and outside the state of California. If you have questions, contact Melissa Kern, Jane Hils Shea, Mike Nitardy, or any member of Frost Brown Todd’s Data Privacy and Information Security Team.
Ask the Blogger
Do you have a topic that you would like discussed in a future blog article? Please let us know. If you have a confidential question regarding a blog article, please feel free to contact the article's author directly, or let us know if you would like for someone to contact you directly.
Jane Hils Shea has lead FBT’s Privacy and Information Security Practice Area since its creation in 2001 and is a Certified Information Privacy Professional (CIPP-US).