On February 25, 2019, California Attorney General Xavier Becerra and California State Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the new California Consumer Privacy Act (“CCPA”). If passed, the bill will impose significant burdens and risks on businesses that must comply with California’s sweeping consumer privacy law.

Brief Overview of the CCPA

The CCPA was enacted in June of 2018, and grants consumers rights with respect to the collection and use of their personal information. The law applies to any entity that does business in California and has either:

(i) annual gross revenue in excess of $25 million;

(ii) annually buys, receives, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or

(iii) derives 50% or more of its annual revenues from selling consumers’ personal information.

The CCPA sets out these key requirements: (1) businesses must disclose data collection and sharing practices to consumers; (2) consumers have the right to request that their data be deleted; (3) consumers have the right to opt out of the sale or sharing of their personal information; (4) businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent; and (5) businesses cannot discriminate against a consumer who has exercised any rights provided for in the act.

SB 561’s Amendments and their Potential Consequences

SB 561 proposes three amendments to the CCPA. First, the bill adds a private right of action, expanding consumers’ rights to pursue legal remedies under the act. Prior to this amendment, consumers could bring civil actions for data breaches under certain circumstances, but the Attorney General was primarily responsible for enforcement of the CCPA. With this amendment, any violation of any provision of this act would allow a consumer to seek statutory damages of $100-$750 per violation, even if there are no actual damages. Although the statutory damages for each violation are relatively modest, given the size of most data breaches and what will likely be the magnitude of the violations of the CCPA, the risk to entities covered by the act will be significant. For example, class action litigation related to data breaches have resulted in company payouts of $85 million (Marriott), $115 million (Anthem), and $179 million (Home Depot). If SB 561 passes, businesses will likely be exposed to both greater volume and higher costs of privacy-related litigation.

Second, SB 561 removes the “right to cure” provision of the act for actions brought by the Attorney General. The bill eliminates a business’s opportunity to remedy an alleged violation of the CCPA within 30-days of notice, and instead allows the Attorney General to immediately seek injunctive relief and civil penalties. Essentially, businesses would be expected to comply with the CCPA at all times (an unrealistic expectation), or risk enforcement by the Attorney General. Though it is unclear if SB 561 intended to completely eliminate the right to cure, as currently written, the deletion of the right to cure only applies to civil actions brought by the Attorney General, and businesses still appear to have 30-days to rectify a violation to avoid civil actions by consumers.

Third, SB 561 removes the provision of the CCPA that allows businesses and third parties to seek individualized guidance from the Attorney General. Instead, the Attorney General may publish materials that provide general guidance on how to comply with the act. While this could, in theory, reduce the burdens placed on the Attorney General at the taxpayers’ expense, it is unclear whether general guidance will be sufficient to address businesses’ specific requests for guidance their good faith efforts to comply with the CCPA.

Outlook on CCPA

The CCPA becomes effective January 1, 2020, and the Attorney General must adopt certain regulations by July 1, 2020. Enforcement by the Attorney General will not begin until July 1, 2020, but it is unclear if civil actions by consumers under SB 561 can be brought before this date. SB 561 is the second proposed amendment to the CCPA, and it is expected that there will be additional changes before the effective date of the act. Additional possible amendments may include clarifications of current terms like “consumer,” “personal information,” “households,” “sale,” “service provider” and “third party”.

Additionally, Congress is currently considering a bi-partisan federal data privacy law. Depending on whether a federal law passes, and what the terms are, CCPA may become obsolete, in whole or in part, by preemption. On February 26, 2019, the House Energy and Commerce Committee held its first hearing on data privacy, which did not conclude with a clear path moving forward. The Senate is scheduled for a hearing on February 27, 2019.

Most legal and privacy experts acknowledge that there is much work to be done to perfect the CCPA. SB 561 is a clear step toward expanding consumer privacy rights. Ideally, the final iteration of the CCPA will provide robust protection to consumer privacy without setting unclear or unrealistic expectations for businesses.

Keesal, Young & Logan Cybersecurity and Privacy Group

This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.