In September 2018, just three months after the California Consumer Privacy Act was introduced, California’s Governor Jerry Brown signed SB 1121 into law. SB 1121 amends the CCPA which was passed in June this year. SB 1121 leaves the Act mostly intact, but it brings clarity to certain aspects of the CCPA.
The CCPA is not due to become law until January 1, 2020. But SB 1121 states that the California Attorney General can not enforce the Act until six months after publishing regulations pursuant to the Act, or July 1, 2020, whichever is sooner. The probable extension to the enforcement date should give organizations more time to make sure they comply with the Act.
Private Right of Action
SB 1121 clarifies that the only consumer private right of action permitted under the Act is for data breaches. Additionally, SB 1121 removes both the requirement that; a consumer bringing a private right of action notify the California Attorney General, and the Attorney General’s ability to prohibit a consumer private right of action.
SB 1121 still prohibits consumers from initiating an action against a business within 30 days after they have notified that business of any violations they have detected.
Consumers Right to Deletion
The CCPA previously required that a consumer’s right to deletion of personal information be disclosed in businesses’ online policies. SB 1121 modified this requirement by allowing businesses the flexibility to disclose the right to deletion in a form accessible to consumers.
SB 1121 differentiates between penalties for intentional violations of the Act and non-intentional violations of the Act. Each intentional violation will receive a penalty of up to $7,500 for each record, while non-intentional violations involve a fine of up to $2,500 per record. This could mean severely punitive fines for violations involving for example, 100,000 records.
You do the math.