California Consumers Privacy Act got amended and enforcement actions delayed

After only three months from its approval the California Consumers Privacy Act (CCPA) was amended.

On September 23, 2018 Senate Bill 1121 was signed into law. The legislation, which takes effect immediately, amends the CCPA, which was passed on June 2018. Among other things, the amendment:

clarifies the definition of “personal information”, explaining that it “includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household;”

– requires businesses to “disclose the consumer’s right to delete personal information in a form that is reasonably accessible to consumers and in accordance with a specified process”;

clarifies that “the rights afforded to consumers and the obligations imposed on any business under the act does not apply if those rights or obligations would infringe on the noncommercial activities of people and entities described in a specified provision of the California Constitution addressing activities related to newspapers and periodicals.

The law also introduces (or expands) some exclusions from the CCPA:

i) personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies; 

ii) information pursuant to the California Financial Information Privacy Act;

iii) medical information, providers of health care or a covered entity, and information collected as part of clinical trials.

The amendment clarifies that the CCPA does not (obviously) apply if it is in conflict with the U.S. Constitution;

More importantly the legislation delays Attorney General’s enforcement actions on CCPA: enforcement will start only after 6 months from the publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first, and limits “the civil penalty to be assessed in an Attorney General action in this context to not more than $2,500 per violation or $7,500 per each intentional violation”.

It also gives clarification of the private right of action: the only one permitted is the private right of action for “violations of unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information”. In addition, the legislation deletes the requirement that a consumer bringing a private right of action notify the Attorney General

More on the legislative history of Senate Bill 1121 is available at…

More on the content of the Bill is available at…


For more information on this and for advice on privacy implementation, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli.



Follow us on& Like us on