Proposed Amendments Seek to Broaden the Scope of the California Consumer Privacy Act
In June of 2018, California enacted the California Consumer Privacy Act (the “CCPA”), the most comprehensive data privacy law to date in the United States. The CCPA originally began as a ballot initiative. However, the sponsor of that ballot initiative withdrew the measure when the California legislature agreed to pass a consumer privacy bill—one that, under California law, is much easier to amend and revise than the proposed ballot initiative. For more on the CCPA, please see our August 2018 article, What You Need to Know About California’s New Privacy Law.
Now, in the Spring of 2019, we are seeing the first proposed amendments to the CCPA. California State Senator Hannah-Beth Jackson (D-Santa Barbara) introduced S.B. 561 on February 22, 2019. The bill has the full support of the California Attorney General, and would enhance the rights of consumers under the CCPA.
Most notably, the bill would provide consumers with a private right of action with respect to violations of the CCPA. As originally written, the CCPA provided only a limited private right of action in the case of a data breach resulting from a business’ violation of the CCPA’s duty to implement and maintain appropriate security procedures. The amendments proposed by S.B. 561, on the other hand, would permit consumers to sue for any violation of the CCPA, and, with the possibility of up to $750 in statutory damages per incident, greatly increase risk for businesses subject to the CCPA.
Another proposed amendment of the bill may, however, reduce risk for businesses with respect to individual claims under the CCPA. The bill would eliminate a 30-day cure period for non-compliance actions brought by the Attorney General, but would retain the cure period for actions brought by individuals. While it may be difficult for a business involved in a potential lawsuit with a private individual to cure a data breach that has already occurred, the retention of the 30-day cure period before individual actions accrue may help to reduce the risk of litigation over minor, technical violations of the CCPA.
S.B. 561 also reduces the requirements imposed on the California Attorney General in that the Attorney General is no longer obligated to provide opinions on request; rather, the Attorney General may, in his or her discretion, choose to provide opinions regarding a requesting business’ compliance with the CCPA.
As mentioned above, the California Attorney General supports S.B. 561. With the bill heading to a vote soon, the odds of passage appear to be high. The CCPA (with any successful amendments) is to take effect on January 1, 2020. While the CCPA, especially in light of the proposed amendments, remains the broadest consumer data privacy law in the United States, lawmakers and stakeholders in many other states have proposed privacy laws similar to the CCPA.