May 29, 2020

May 29, 2020

Subscribe to Latest Legal News and Analysis

May 28, 2020

Subscribe to Latest Legal News and Analysis

May 27, 2020

Subscribe to Latest Legal News and Analysis

May 26, 2020

Subscribe to Latest Legal News and Analysis

SB 561 Aims to Make CCPA More Consumer-Friendly by Expanding a Private Right of Action and Removing the Right to Cure

Last week, California State Senator Jackson and state Attorney General Becerra introduced a new bill, Senate Bill 561.  If passed, it will greatly expand the consumers’ right to bring private lawsuits for violations of the California Consumer Privacy Act (“CCPA”).  SB 561 will: (1) provide for a private right of action for all CCPA violations—not just those stemming from a data breach; (2) eliminate the 30-day safe-harbor provision that currently allows companies to cure the violation and thereby avoid a private right of action; and (3) prevent companies from seeking specific opinions from the Attorney General and instead allow the AG’s office to provide “general guidance” via publications.

Currently, the CCPA enables only the AG’s office to sue in most circumstances.  California consumers who wish to file a private action face industry-backed hurdles.  Specifically, the current version of the CCPA only allows consumers to sue over data breaches resulting from a business’s failure to implement reasonable security measures.  It further provides a safe harbor for companies by requiring the consumer to notify the business of the alleged violation before a private lawsuit can be filed and then giving the company 30 days to cure the alleged violation.  

If passed, SB 561 bill will make the CCPA a lot less friendly to the industry and “would expand a consumer’s rights to bring a civil action for damages to apply to other violations under the act.” Another key proposed change is to delete the current requirement of the “30-day period in which to cure after receiving notice of an alleged violation.” 

Notably, the CCPA in its present version does provide California residents with the right (1) to learn what information the companies collect about them, (2) to request the deletion of that information, and (3) to prevent the sale of it to others.  Consumers cannot sue for these violations, however.  CCPA also requires businesses to take reasonable data-security measures and allows consumers to sue only if they reported the violations to the business, and the business then failed to cure it within 30 days.  SB 561 seeks to change that by greatly expanding consumers’ rights: to allow them to sue companies not only when they failed to cure security-related violations but also when they do not provide consumers’ with the information they collected, or fail to honor requests to refrain from selling consumer data, or violate other provisions of the CCPA. 

The bill further seeks to “specify that the Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the act.”  Arguably, this would no longer allow businesses to ask the Attorney General’s for specific opinions on how they can comply with the CCPA.  Rather, in his discretion, the Attorney General “may” publish “general guidance.”  It is unclear how much utility this amendment will provide to businesses, as Attorney General Becerra has already clarified that his office’s goal is to protect consumers—not to “give out free legal advice” to companies.

The CCPA has already been revised once before.  Specifically, SB 1121, which was signed into law in late 2018, made “various technical and clarifying changes” to correct drafting errors, ambiguities, and some inconsistencies.  Still, additional revisions are expected in 2019, and companies should closely monitor further developments.  An informational California Senate hearing on the CCPA will take place on March 5, 2019, at 1:30 p.m.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

Natalie Prescott, Mintz Levin Law Firm, Litigation Attorney
Practice Group Associate

Natalie’s practice focuses on a wide range of litigation matters.

Prior to joining the firm, Natalie worked as the co-founder and trial lawyer for a boutique litigation firm that focuses on state and federal litigation. She also spent many years as a litigation associate at one of the world’s largest law firms, where she received extensive consumer litigation, trial, and appellate experience.

Previously, Natalie served as a judicial law clerk for the Honorable Roger T. Benitez of the United States District Court of the Southern District of California and as a litigation associate in the San Diego office of another global law firm.

During law school, Natalie worked as the editor-in-chief for the Duke Journal of Comparative and International Law. She graduated at the top of her class from Duke Law School. She also has an MA in English from Tulane University and a BA in speech communication from the University of Southern Mississippi. In 2014, Natalie was selected along with a handful of applicants nationwide to attend Gerry Spence’s Trial Lawyers College, which allowed her to master trial preparation techniques at the highest level.

858 -314-1534