Bill Which Would Expand the CCPA Private Right of Action Moves Forward
As we reported, in late February, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the California Consumer Privacy Act (CCPA). This week, the Senate Judiciary Committee referred the bill to the Senate Appropriations Committee by a vote of 6-2. This move came despite concerns raised about the scope of the amendment’s expanded private right of action. It is worth noting that a restricted private right of action is believed to have been fundamental to the compromise that led to the CCPA becoming law.
If SB 561 becomes law, it would make a number of significant changes to the current law. In particular, SB 561 would significantly expand the scope of the private right of action presently written into the CCPA. In its current form, the CCPA provides consumers a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information. The amendment proposed under SB 561 broadens this provision to grant consumers a private right of action if their rights under the CCPA are violated.
This could become very costly for businesses subject to CCPA. A plaintiff suing under CCPA can recover statutory damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. With the change under SB 561, violations of rights under the statute, such as rights to certain notifications or the right to have certain information deleted upon request potentially could trigger statutory damages,
A similar cause of action exists under an Illinois privacy law that you might have heard about, the Illinois Biometric Information Privacy Act or “BIPA.” That provision has resulted in a flood of litigation, including putative class actions, seeking to recover statutory damages for plaintiffs who allege their biometric information has been collected and/or disclosed in violation of the statute.
According to reports, while Senator Jackson promised to work with stakeholders to address concerns about an expanded private right of action, the lawmaker apparently is intent on maintaining the ability for consumers whose CCPA privacy rights are violated to sue, without having to rely on the Attorney General’s office to enforce the CCPA.