Privacy & Information Security Law Blog

On February 22, 2019, California state senator Hannah Beth-Jackson introduced a bill (SB-561) that would amend the California Consumer Privacy Act of 2018 (“CCPA”) to expand the Act’s private right of action and remove the 30-day cure period requirement for enforcement actions brought by the State Attorney General. The bill would not change the compliance deadline for the CCPA, which remains January 1, 2020. California Attorney General Xavier Becerra supports the amendment bill, characterizing it as “a critical measure to strengthen and clarify the CCPA.”

If passed, the bill would amend the CCPA as follows:

• Private Right of Action
  • Expand the civil right of action for damages to apply to any consumer whose rights under the CCPA are violated.
    • The private right of action under the CCPA is currently limited to instances in which a consumer’s nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’s failure to maintain reasonable security procedures.
    • The proposed amendment would allow consumers whose rights under the CCPA are violated to bring a private right of action against a business.
  • No other sections of the private right of action provision would change.
    • Penalties for violations of the Act remain unchanged:
      • $100-$750 per consumer per incident or actual damages, whichever is greater;
      • Injunctive or declaratory relief; and
      • Any other relief the court deems proper.
    • 30-day cure period provision remains unchanged:
      • For an action for statutory damages, a consumer must still provide a business with 30 days’ written notice and an opportunity to cure the violation. If within the 30 days the business cures the violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, the consumer would be barred from bringing an action for individual statutory damages or class-wide statutory damages.
      • For an action for actual damages, as under the current language of the CCPA, a consumer is not required to provide a business with 30 days’ notice and an opportunity to cure.

• California Attorney General Enforcement
  • Remove the 30-day cure period for enforcement actions brought by the California Attorney General.
    • The CCPA currently states that a business shall only be in violation of the CCPA if it fails to cure any alleged violation of the CCPA within 30 days after being notified of alleged noncompliance.
    • The proposed amendment would remove this provision, allowing the California Attorney General to bring enforcement actions for violations of the CCPA even when a business has “cured” the alleged violations.
  • End the ability to seek guidance from the California Attorney General about how to comply with the CCPA.
    • The CCPA currently provides the opportunity for any business or third party to seek the opinion of the California Attorney General for guidance on how to comply with the CCPA.
    • The bill would eliminate this provision and instead state that the Attorney General “may publish materials that provide businesses and others with general guidance” on how to comply with the CCPA.
  • The penalties the California Attorney General can bring for violations of the CCPA remain the same:
    • Injunction; and
    • Civil penalties of up to $2,500 for each violation or $7,500 for each intentional violation.

If passed, the expanded private right of action provision would significantly increase businesses’ liability risks under the CCPA. While the California Attorney General is limited in his ability to bring enforcement actions until six months after the passage of implementing regulations or July 1, 2020, whichever comes first, consumers may bring private rights of action beginning on January 1, 2020, the CCPA’s compliance deadline. Businesses therefore should be prepared to comply with the CCPA by January 1, 2020.