When California quickly passed the landmark California Consumer Privacy Act (CCPA) last June, policymakers across the state made clear that they did not anticipate the new law--the most sweeping privacy legislation in the United States--would be implemented unchanged. What was unknown was what those changes might be, and whether they would reduce or increase burdens on businesses operating in the state.
Now, almost eight months later, the second set of proposed changes to the CCPA have been put forward that, while narrow in scope, could if enacted have a significant impact on California businesses through an expanded enforcement mechanism.
What Has Been Proposed
State Senator Hannah-Beth Jackson introduced legislation on February 25, 2019, to further amend the CCPA in a move supported by California Attorney General Xavier Becerra. According to Senator Jackson, Senate Bill 561 is intended to further strengthen the CCPA. If passed, the risk to businesses for noncompliance with the CCPA will dramatically increase. As currently drafted, SB 561 will:
- Expand the private right of action to any consumer whose “rights under [the CCPA] are violated.” As currently drafted, the CCPA limits the private right of action to where consumers’ non-encrypted or non-redacted personal information has been subject to a data breach as a result of the business’ violation of the duty to implement and maintain reasonable security procedures.
- Remove the right to cure any alleged violation within 30-days after being notified.
The proposed changes to enforcement are notable. Consumers, without any demonstration of harm, would have the ability to file suit for any alleged violation of their rights under the CCPA. Additionally, if the proposed bill passes as drafted, businesses would no longer have the opportunity to cure the violation within 30 days before a private lawsuit suit could be filed or before the Attorney General could initiate an action.
Notably, SB 561 also removes the onerous requirement that the Office of the Attorney General provide, at taxpayers’ expense, legal opinions directly to any business or private party with individual legal counsel on CCPA compliance. Instead, the Attorney General will be given the option to “publish materials” that provide general guidance on how to comply with the CCPA.
Where We Stand Now
Passed and signed into law in 2018, the CCPA is scheduled to become effective January 1, 2020, with enforcement delayed until July 1, 2020. It is currently the most comprehensive privacy legislation in the U.S., with extensive new compliance requirements and liabilities for businesses. In short, the first-of-its kind legislation grants California residents a number of new rights with respect to the collection of their personal information by businesses.
Those new rights include, among others, the right to be informed about the categories of information a business collects and the purposes for which it is collected and sold, the right to access their information in a portable format, the right to request deletion of personal information, the right to opt-out of the sale of their personal information, and the right to be free from discrimination for exercising rights under the Act with respect to pricing and service. Businesses are required to respond to consumer requests for this information, free of charge, and within 45 days in an electronic format that can be transferred to another business.
Additionally, the CCPA creates specific transparency requirements relating to collecting and selling personal information. Businesses must disclose the new rights to California consumers in public-facing privacy notices and if “selling” personal information as defined by the act, businesses have additional obligations that include providing a “clear and conspicuous” link on the business’ homepage titled “Do Not Sell My Personal Information.”
Given the intricacies and detailed obligations for complying with the CCPA, the proposed amendments in SB 561 must be taken very seriously. This is especially true since SB 561 removes the opportunity to cure an alleged violation. Thus, a well-intentioned business that makes an innocent compliance mistake will no longer have a chance to resolve the issue before enforcement actions or lawsuits are filed. Even more problematic is the fact that the CCPA is still riddled with drafting inconsistencies and ambiguities that make compliance a daunting task.
That said, further amendment by lawmakers and some clarification is anticipated from the Attorney General before the CCPA goes into effect in 2020. Additionally, even though aspects of the law may change before it becomes effective, there are many things that a business can do now to prepare for the upcoming changes, including identifying what personal information a business has, where it resides, where it came from, and where it is going. Conducting a thorough inventory and mapping of personal data is an important first step to complying with the CCPA (and other data protection laws) no matter the specifics of the law. Procopio’s Privacy and Cybersecurity practice group members can assist with those and other privacy-related efforts.