The Bottom Line
- California continues to take the most active role of any state in regulating privacy and imposing obligations on businesses.
- With the upcoming January 2020 deadlines for the CCPA and the proposed IoT law, business should continue — or begin, if they have not already done so — their efforts to comply.
The California legislature continues to legislate in the privacy realm. In recent weeks, it passed two bills that would impose privacy obligations on manufacturers of “connected devices” and one bill that would modify the recently enacted California Consumer Privacy Act of 2018 (CCPA). All of the bills are awaiting action by Governor Jerry Brown.
The Internet of Things
The number and variety of connected devices composing the Internet of Things (IoT), such as thermostats, appliances and wearables, is growing at an astronomical pace, and the California legislature has taken notice.
The two bills passed by the legislature — Assembly Bill No. 1906 and Senate Bill No. 327 — would require a manufacturer of a connected device sold or offered for sale in California to equip the device with a “reasonable security feature or features” appropriate to the nature and function of the device and to the information it may collect, contain, or transmit. The security feature or features also would have to be designed to protect the device and any information it contains from “unauthorized access, destruction, use, modification, or disclosure.”
The bills provide that if a connected device is equipped with a means for authentication outside a local area network, it would be deemed a reasonable security feature if the preprogrammed password is unique to each device manufactured or if the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
The bills do not apply to entities subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Confidentiality of Medical Information Act, with respect to any activity regulated by those acts. They also do not apply to any connected device with functionality that is subject to federal security requirements.
Moreover, the bills also do not authorize any private right of action but, rather, limit enforcement to California’s attorney general, city attorneys, county counsel, and district attorneys.
If signed by the governor, the bills would become operative on January 1, 2020.
The CCPA
It has been only a few months since the California legislature passed the California Consumer Privacy Act of 2018 (CCPA) (see our prior alert), but the legislature already has passed a bill — Senate Bill No. 1121, which is even longer than the original bill – that would clarify and modify some of the CCPA’s provisions.
Briefly, the CCPA grants various rights to consumers, effective January 1, 2020, with respect to their personal information held by businesses, including the right to request that a business provide access to and delete any personal information about the consumer collected by the business, and notice of the sale of such information.
Since the CCPA was passed in such a hurry, it contained a number of errors and inconsistencies. More importantly, because the CCPA will require such significant changes in information handling processes, businesses are clamoring for clarity on some of the more confusing clauses and seeking relief on some stringent requirements.
Senate Bill No. 1121 would modify the CCPA in a number of ways. Among other things, the bill would:
- Clarify that, in most cases, information would only meet the definition of personal information if it identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household;
- Clarifies exemptions for personal information collected, processed, sold, or disclosed by banks, brokerages, insurance companies, and credit reporting agencies which are subject to other privacy laws;
- Revise and expand the exception in the CCPA for medical information;
- Narrow the private right of action provided by the CCPA, but eliminate the CCPA’s requirement that a consumer bringing a private right of action notify the attorney general;
- Extend the deadline for the attorney general to enact regulations under the CCPA from January 1, 2020 to July 1, 2020; and
- Most importantly, prohibit the attorney general from bringing actions to enforce the CCPA until six months after the attorney general has published final regulations under the CCPA or July 1, 2020, whichever is sooner.