In response to several defects identified in the recently enacted California Data Privacy Protection Act (CDPPA) which raced through the Legislature at lightning speed, the Legislature amended SB 1121 by Senator Bill Dodd (D-Napa) to address several of the most glaring deficiencies, which the Governor approved last week.
Among the clarifications to the CDPPA is an exemption for news gathering activities of a newspaper or broadcaster.
Other major changes to the CDPPA include:
- Removing the requirement that a consumer bringing an action pursuant to the Act must first notify the Attorney General. It would also remove certain duties placed upon the Attorney General;
- Providing that any business, service provider, or other person that violates the Act is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation; and
- Extending the date by which the Attorney General is required to adopt regulations from January 1, 2020, to July 1, 2020 and restrict the AG from bringing an enforcement action until six months after publication of final regulations or July 1, 2020, whichever is sooner.
The CDPPA empowers consumers with the right to be informed about what kinds of personal data companies have collected and why it was collected. Among other protections, the law requires that consumers have the right to request from a business what data the business collects about them, request the deletion of that personal information, opt out of the sale of that personal information, and access the personal information in a “readily useable format” that enables its transfer to third parties without hindrance.
The law establishes a broad definition of “personal information,” drawing in categories of data including a consumer’s personal identifiers, geolocation, biometric data, internet browsing history, psychometric data, and inferences a company might make about the consumer. The protections over this data are to be enforced by the Attorney General, though consumers maintain a private right of action should companies fail to maintain reasonable security practices, resulting in unauthorized access to the personal data.
It will go into effect on January 1 2020.
It is expected that clean-up legislation will be introduced in the next legislative session to further clarify the scope of the CDPPA and potential liability.