In February, we posted that the California Attorney General and state Senator Hannah-Beth Jackson had announced a bill that would have materially expanded legal exposure for businesses under the CCPA. The most concerning parts of the bill were the attempts to expand the private right of action to cover privacy practices, while simultaneously removing companies’ rights to cure violations before facing a suit.

  • Private Right of Action: The enacted CCPA includes a private right of action limited to data breaches. Any consumer who is the victim of a breach of unencrypted or unredacted personal information (as that term is defined by the law) “as a result of a violation of the duty to implement and maintain reasonable security procedures and practices” can recover statutory damages of up to $750 per incident. The bill would have expanded the private right of action to cover violations of other sections of the law, namely the provisions covering privacy-related obligations (e.g., notice requirements, right to deletion, and the right of access).
  • Right to Cure: The CCPA requires the Attorney General to give businesses notice and 30 days to cure alleged violations before the Attorney General can seek an injunction and civil penalties. This 30-day cure period can provide a warning to businesses that are trying to comply with a confusing law, if their efforts fall short. The proposed bill, however, would have removed the right to cure, leaving businesses immediately exposed to any violations.

On April 29, 2019, the California Senate Appropriations Committee – the Committee responsible for overseeing the state’s budget – placed the bill, S.B. 561, in the Committee’s “Suspense File” by a unanimous vote. The Suspense File is where bills with a significant financial impact are placed so that the Appropriations Committee can consider their financial impact once they have a better sense of the year’s budget. Yesterday, the Committee decided not to let the bill out of the Suspense File, effectively killing the bill.

Although companies still have a lot of work to do to address CCPA compliance obligations, they can breathe a little easier knowing that the threat of lawsuits for any minor violation has been diminished.