On Jan. 1, 2020, the California Consumer Privacy Act (CCPA or Act) is set to empower the state attorney general to file suit against "businesses" that collect their "personal information." The law is poised for amendments and a pending bill that would expand the law's private right of action should be carefully watched.

SB-561 seeks to dramatically expand the CCPA's private right of action while removing safe harbors and compliance opportunities for businesses. Specifically, the bill would allow consumers to sue for a violation of any of the Act's extensive requirements. Concurrently, the bill proposes stripping a business' right to seek guidance from the attorney general and removes the 30-day safe harbor for actions brought by the attorney general.

A business is defined as any entity for profit or financial benefit, that collects consumers' personal information (or on behalf of which that information is collected), and either: 1) has a gross revenue in excess of $25,000,000; 2) buys, receives for commercial purposes, shares for commercial purposes, or sells the personal information of 50,000 or more consumers, households, or devices; or 3) derives 50 percent or more of its annual revenues from selling consumers' personal information.

The April 9 Hearing on SB-561

On April 9, the California State Senate held an open hearing on SB-561. As one Senator argued, passing the amendment in its current form would be "red meat for" the plaintiffs' bar.

The CCPA provides for enforcement through the California Attorney General and also by consumers, who may bring individual suits and class actions. As written, the private right of action allows consumers to bring an action if their personal information "is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."

If successful, SB-561 would broaden the private right of action dramatically, allowing any consumer whose "rights under this title are violated" to sue for:

  • Damages of $100 to $750 "per consumer per incident or actual damages, whichever is greater";
  • "Injunctive or declaratory relief"; and
  • "Any other relief the court deems proper."

The most contentious talking point at the April 9 Senate hearing involved the right to cure and the standards businesses will be held to when trying to cure any alleged violation. As it stands, the bill removes the current 30-day safe harbor with respect to actions brought by the attorney general; though a 30-day safe harbor is still in place for actions brought by consumers.

Whatever the outcome of the bill, how exactly a business "cures" an alleged violation under any safe harbor is up for debate.

Though guidance was sought on what a "cure" is under the statute, proponents of the Act and bill struggled to explain or define what "cure" means. Further complicating matters is the bill's removal of a business's right to seek compliance guidance from the attorney general—under the current guise of the bill, the attorney general "may publish materials that provide . . . general guidance."

Next Steps—What to Do Now?

Despite strong opposition and criticism, the bill is still alive and the hearing revealed the following:

Further revision. While a majority of the committee voted to move the bill on to the Senate Appropriations Committee, it is likely the bill will undergo further revision. Sen. Hannah Beth Jackson (D-Santa Barbara), author of SB 561, vowed to work with attendants in addressing concerns raised.

30-day safe harbor and the private right of action. Dialogue at the hearing makes clear that a 30-day safe harbor is still in place for consumer actions. Whatever "cure" means, an opportunity (and argument) for compliance still exists before a class action is filed.

If the current private right of action is left in place, the Act's growing legislative history provides an increasingly strong argument to limit its scope. Whatever language is used, the plaintiffs' bar will argue for the broadest interpretation possible. In the event the bill's proposed private right of action language is rejected, however, the April 9 hearing provides potential defendants with further ammunition for arguing that the Act's current language should be narrowly construed. As Senator Borgeas explained: "we don't even necessarily have the infrastructure in place, yet we're talking about taking sledgehammers when maybe a smaller device might be more appropriate . . . there might be a way forward with compliance which does not create a private right of action because I'm concerned . . . this is red meat for trial lawyers . . . this is going to allow for a ravenous frenzy if it moves forward in this type of form."

Now What?

Recognizing the Act is a moving target, businesses need to take action. They should first determine whether they qualify as a "business" as defined in the statute. If a "business" does fall into the purview of the statute, it is important to assess the following:

  • What consumer information that business possesses and how that data is stored and used;
  • Whether any current data storage system is susceptible to unauthorized access or theft.

If a business falls within the purview of the Act, it is critical to perform a review of policies and procedures in place addressing consumer information. Policies and procedures should be modified to comply with the Act (including its likely evolutions before January 1, 2020) and, if none are in place, they should be instituted. Businesses are encouraged to contact counsel and keep abreast of further developments which are a near certainty.

Originally published by Bloomberg Law

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.