On Monday, Feb. 25, California Attorney General Xavier Becerra, together with Sen. Hannah-Beth Jackson (D), announced Senate Bill 561 to amend the California Consumer Privacy Act (CCPA). Most significantly, SB 561 would effectively eliminate the AG’s responsibility to provide guidance to businesses on how to comply with the CCPA while simultaneously expanding the right of class action plaintiffs’ lawyers to sue businesses for noncompliance. Moreover, SB 561 removes the right of businesses to cure a violation under the CCPA. While surprising to some, these amendments were hinted at during the Feb. 20 Assembly Committee hearing on Privacy and Consumer Protection, where Assistant AG Stacey Schesser testified, among others. And that is not all. In recent weeks, the California Republicans have proposed five bills to also expand consumer privacy rights, which we will summarize in a subsequent blog post.
Industry advocates have previously called on the legislature to clarify the narrowness of the CCPA’s limited private right of action to certain types of reportable data security breaches attributable to a failure to maintain reasonable security, and that privacy noncompliance cannot be the basis of an unfair practices claim under California Business and Professions Code Section 17200. We have written about this here. However, as we have previously reported, the California AG has interpreted the current private right of action as precluding privacy noncompliance claims, but has been pushing to expand the private right of action into covering such violations, arguing that his office lacks sufficient resources to enforce the CCPA. Last week, AAG Schesser used her testimony to stress that the AG’s office is in favor of expanding the private right of action to any violations under the CCPA, to the delight of plaintiffs’ lawyers everywhere. Schesser also compared the cure right found in Section 1798.150 to a “get out of jail free” card (see here for audio and video of the hearing). The suggestions made by AAG Schesser are directly addressed by SB 561, just two days after the Assembly hearings.
SB 561 would substantially impact businesses by expanding the private right of action for any violations of the CCPA despite also removing their ability to seek clarification on CCPA compliance or to cure potential CCPA violations. This is alarming as there are detailed obligations for achieving compliance under CCPA, and the act is internally inconsistent and full of ambiguities. Under SB 561, a well-meaning business that accidentally makes a mistake because it couldn’t seek clarification from the AG will no longer have a 30-day opportunity to resolve the issue before enforcement ensues. Further, unlike the AG that exercises prosecutorial discretion to direct limited resources toward bad actors, allowing private attorney general actions will subject businesses to “gotcha” claims for even innocent technical violations. As a result, minor issues best handled by “fix it” tickets could be met with expensive and socially inefficient class action lawsuits.
Overall, the three most significant impacts of the amendment are that it removes:
- The limitations to bring a private cause of action for any violation of the CCPA.
- The ability of businesses to cure an alleged CCPA violation within 30-days.
- The opportunity for a business or third party to seek the opinion of the AG for guidance on how to comply with the CCPA.
SB 561 is in direct contravention of the compromise that led to the CCPA being passed. CCPA was initially to be an initiative on the California ballot. In exchange for allowing the private right of action to be curtailed, the legislation expanded consumer privacy rights and the initiative proponents agreed to withdraw the initiative and support the legislation. Industry groups that supported, or did not oppose, the legislation did so primarily to limit the potential of a broad private right of action. We shall see if the legislature keeps to the original intent of the compromise or not.
Beyond California, there are now at least 15 states that have proposed privacy legislation based on the CCPA or the European Union’s GDPR. A recent Massachusetts’ bill proposes a broad private right of action. While Mississippi’s bill proposes that its version of CCPA go into effect in June of this year – certainly not allowing enough time for businesses to prepare. And then there are various federal proposals. We will be tracking all this legislation as well as the ongoing CCPA rule-making. (See here and here for more information on the regulatory process.) Further legislation is all but certain. However, as we have previously advised, there are many things that a business can do now to prepare for changes in U.S. privacy law even if the exact details of what those laws will ultimately require are still a moving target. For more information, contact the authors or see our U.S. Privacy Legislation resource center.