October 15, 2019

October 14, 2019

Subscribe to Latest Legal News and Analysis

California Legislation Would Make CCPA Even Worse for Businesses

New proposed legislation in California, backed by state Attorney General (“AG”) Xavier Becerra, would amend the new California Consumer Privacy Act (“CCPA”) to make it easier for private plaintiffs and public officials to sue for violations while further increasing regulatory uncertainty and compliance costs for businesses. Specifically, SB 561 would expand the CCPA’s private right of action, remove the Act’s public enforcement “cure” provision, and eliminate the ability of affected companies to seek compliance guidance from the AG.

The CCPA is a sweeping new privacy law which goes into effect in January 2020. It gives California residents substantial control over personal data held by certain California businesses, requiring disclosure of what personal information the business collects, how that information is used or sold, and allowing consumers to control or delete that information upon request. It currently allows private plaintiffs to seek statutory damages of up to $750 per violation for certain violations, and it allows the AG to seek civil penalties of up to $2,500 for most violations, and up to $7,500 for violations found to be intentional.

SB 561 would make three key changes to the Act:

  • Expanding the private right of action—As written, the Act appears to provide a private right of action only when a consumer’s personal information was subject to an avoidable data breach. However, some speculated that allegedly ambiguous language in the statute could support a private right of action for any violation. SB 561 would resolve this ambiguity by expressly providing a broad private right of action to any consumer “whose rights under this title are violated.”

  • Removal of the public enforcement cure period—Currently, the Act provides that the AG may only bring an action after a business fails to cure an alleged violation within thirty days after being notified of alleged noncompliance. SB 561 removes this notification requirement, allowing the AG to bring enforcement actions immediately.

  • Elimination of AG compliance opinions—As of now, the Act provides a mechanism to seek a legal opinion from the Attorney General about compliance with the Act. SB 561 does away with this right, and instead provides that the AG may publish materials giving businesses and others general guidance on how to comply with the Act.

In announcing his support of SB 561, Attorney General Becerra said that the amendments are needed to eliminate the requirement that his office provide compliance advice to businesses “at taxpayers’ expense,” and to nullify a “free pass” for businesses to cure violations before enforcement could occur. This statement suggests that the AG is likely to be active in enforcing the CCPA once it goes into effect next year.

Businesses should continue to monitor legislative activity and rulemaking concerning the CCPA, as further amendments and the final implementing regulations are likely forthcoming soon. Given the approaching effective date and the possibility that it will not be extended by further amendments or the implementing regulations, there may not be a great deal of time in which to comply with revised requirements.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

Taylor Steinbacher Attorney Ballard Spahr
Attorney

Taylor Steinbacher’s practice focuses on consumer financial services and commercial litigation, including individual actions and class action defense. He regularly represents businesses including banks, credit card issuers, and marketplace lenders in matters regarding consumer protection statutes, including the Telephone Consumer Protection Act (TCPA), the Fair Debt Collection Practices Act (FDCPA), as well as Unfair, Deceptive, or Abusive Acts and Practices (UDAAP) statutes and state usury laws. He also assists clients in drafting consumer-facing agreements, such as...

424-2040-4340