California Consumer Privacy Act Passed by California Legislature

In June 2018, the California Consumer Privacy Act (CCPA) has been passed by the California legislature and thus important changes on how the state law safeguards consumer privacy are expected. The new consumer privacy protections and rights of the CCPA have parallels with the General Data Protection Regulation (GDPR) in the European Union.

The CCPA differs from the GDPR in the sense that it only applies to for-profit firms retaining the information of over 50,000 people. The new consumer rights under CCPA that are identical to the GDPR include:

  • the right to request access to personal information retained by a company
  • the right to be alerted if personal information is going to be marketed or shared
  • the right to be informed about data collection
  • the right to have personal information removed and to halt the marketing of personal data

Tech corporations such as Google, Facebook and PayPal intensely criticized CCPA. Thirty-eight trade organizations sent the lawmakers in California a 38-page document voicing their issues on the CCPA requirements. These groups say that certain segments of the new law are impractical and some technical issues would probably have adverse and unintended consequences.

The CCPA will be in force on January 1, 2020, so Californian legislators still have a lot of time to work on changes. One change in the law has just been approved on August 31, 2018. SB 1121 made some technical changes to the CCPA and a considerable adjustment in its implementation. The compliance date hasn’t changed and the CCPA will take effect the minute it is ratified. The SB 1121 is considered as a way to ensure that California localities are not passing contradictory policies before January 1, 2020.

CCPA-covered entities shall be granted extra time to comply, as SB 1121 tweaked the date for the California Attorney General to introduce its implementation rules. The implementation rules is estimated to be available by July 1, 2020. The Attorney General cannot implement CCPA enforcement actions if a company does not comply with CCPA in six months from the time the implementation rules are published.

In comparison to HIPAA, the CCPA is composed of a private right of action which allows California residents to submit a lawsuit against companies that have data breaches caused by the failure to execute appropriate security actions. In past times, consumers who wish to take legal action for personal data breach have to notify the attorney general within 30 days of submitting a case. This notification requirement is not in force anymore.

SB 1121 likewise clarified exemptions for data presently covered by other legal acts, for instance the Driver’s Privacy Protection Act (DPPA), the Gramm-Leach-Bliley Act (GBLA) and the Health Insurance Portability and Accountability Act (HIPAA). All data covered by the HIPAA, DPPA, and GBLA no longer fall under the CCPA. Moreover, SB 1121 has confirmed that the CCPA does not apply to: HIPAA-covered entities, the data that HIPAA-covered entities or business associates collect, and data that form a part of a research test.

SB 1121 is approved by the legislators but the state governor has until September 30, 2018 to put his signature on the amendment.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at