California Considers Bill to Expand CCPA

A potentially significant amendment to the California Consumer Privacy Act (CCPA) was introduced in the California Senate Friday, February 22, by California State Senator Hannah-Beth Jackson (D, S-19). The proposed law, Senate Bill 561, was announced in a joint press statement with California Attorney General Xavier Becerra on Monday, February 25. If passed, it would amend the CCPA in three major ways:

(1) The bill would expand the private right of action in the CCPA by amending California Civil Code Sections 1798.150 (a) and (c) to add “any consumer whose rights under [the CCPA] are violated” to consumers “whose personal information is exposed in a data breach as a result of a company’s failure to implement and maintain reasonable security procedures and practices” as potential plaintiffs in a private civil action under the title. The remedy for violations is unchanged—not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, or injunctive or other declaratory relief at the court’s discretion. If enacted this would greatly expand the right to sue in California for privacy violations.

(2) The bill would amend Section 1798.155(a) to eliminate the 30-day window businesses currently have under the law to cure violations after being notified of alleged noncompliance by the state Attorney General before facing civil liability. As amended, “[a]ny business, service provider, or other person that violates this title shall be subject to an injunction and liable…” without any guaranteed safe harbor or opportunity to cure. Thus, this bill would eliminate the ability to remediate within the 30 day period and subject a company to immediate legal action.

(3) The bill would amend Section 1798.155(a) to eliminate the right of businesses and third parties to seek the opinion of the California Attorney General about compliance with the CCPA and replace it with a voluntary authority by which “the Attorney General may publish materials that provide businesses and others general guidance” on compliance with the statute. The Attorney General had previously been critical of the original provision, writing in an August, 2018 letter to the California legislature that the obligation to advise companies and third parties on demand would create “the unprecedented obligation of using public funds to provide unlimited legal advice to private parties” while also creating a conflict of interest by “having the AGO provide legal advice to parties who may be violating the privacy rights of … the very people the AGO is sworn to protect.”

The bill has been referred to the Rules Committee for assignment, and may be acted on or after March 27, 2019. While the bill’s ultimate fate is uncertain, given the coalition that supports the bill and the overall push for more robust privacy protections, businesses should follow it closely because it has the potential to have a broad and lasting impact on their privacy and information collection practices and the rights of California residents.