On August 24, 2018, the California Legislature published the first round of proposed amendments to the California Consumer Privacy Act, which was signed into law on June 28, 2018 and would take effect January 2020. The full text with amendments can be found here. Here are our major highlights:

The proposal narrows slightly the previously expansive definition of “personal information,” which previously included information such as a user’s IP address. Now “personal information” will require the information to be capable of being associated with a particular consumer or household. This helps minimize some of the runaway impacts of the previously expansive definition without losing its all-inclusive character. The proposal also pushes back the January 2020 deadline to July 2020 for the Attorney General to implement and draft mandated regulations. This will cause major compliance risk for organizations, as the law will be “effective” for some time without clear guidance from regulators.

On the health-privacy front, the law had only provided an exemption for covered entities under HIPAA, creating confusion and compliance concerns for holders of healthcare data about whether this exemption also covered business associates. New amendments now expand the exemption to include business associates. Financial privacy also received clarification with the GLBA receiving an exemption (while preserving consumer’s right to sue in case of a breach) instead of the previous ambiguous exemption that applied only where there was a “conflict.”

Our take

The real story in these proposed amendments is that they change very little. Industry groups will be happy that the newly narrowed personal information definition is something they can work with, but consumers managed to preserve many of their major rights in this first revision. The right to opt-out will remain a serious battle going forward as the deletion of customer data is both difficult and expensive for industry to implement.