California Consumer Privacy Act Amendment Signed into Law

October 2018

On September 23, 2018, California's Governor Jerry Brown announced that he signed SB 1121 into law. SB 1121 modifies the California Consumer Privacy Act of 2018 (the “Act”), which was passed earlier this year (discussed in a September 2018 alert). SB 1121 leaves the Act largely intact, but it does clarify certain aspects of the Act, as briefly discussed below.

Immediate Effect

SB 1121 clarifies that the Act will go into effect immediately in order to prevent enactment of conflicting local laws.

New Enforcement Date

The Act states that its requirements will not become operative until January 1, 2020. However, SB 1121 provides that the California Attorney General cannot enforce the Act until six months after publishing regulations pursuant to the Act or July 1, 2020, whichever is sooner. This likely extension of the enforcement date should give companies more time to comply with the requirements of the Act.

Exemptions under the Act

The Act already provides that information collected pursuant to the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act, and HIPAA (the Health Insurance Portability and Accountability Act) is not subject to the Act. SB 1121 supplements the Act in mandating that information collected pursuant to the California Financial Information Privacy Act is also exempt from the Act. SB 1121 also clarifies that the Act does not apply if it conflicts with the U. S. Constitution. Last, SB 1121 provides that the Act does not apply if it would infringe on a person or entity’s noncommercial speech rights.

Private Right of Action

SB 1121 clarifies that the only consumer private right of action permitted under the Act is for data breaches. Additionally, SB 1121 extinguishes both the requirement that a consumer bringing a private right of action notify the California Attorney General and the Attorney General’s ability to prohibit a consumer private right of action. SB 1121 still prohibits a consumer from initiating an action against a business within 30 days after he or she has notified that business of any violations he or she has detected.

Right to Deletion

The Act previously required that a consumer’s right to deletion of personal information be disclosed on businesses' websites or in their online policies. SB 1121 modified this requirement by giving businesses the flexibility to disclose the right to deletion in a form reasonably accessible to consumers. 


SB 1121 differentiates between penalties for intentional violations of the Act and nonintentional violations of the Act, with the former not more than $7,500 per violation and the latter not more than $2,500 per violation.

SB 1121 clarifies the requirements of the Act so that business can effectively move toward compliance. If you would like assistance with complying with these requirements, please contact one of our Cybersecurity & Data Privacy attorneys.