S.B. 561, 2019 Leg., Reg. Sess. (Cal. 2019)
As businesses adjust to the European Union’s General Data Protection Regulation (“GDPR”), public outcry over data privacy is intensifying in the United States. A recently proposed amendment, S.B. 561, 2019 Leg., Reg. Sess. (Cal. 2019), to California’s already stringent data privacy law aspires to further upend the legal landscape.
The California Consumer Privacy Act of 2018 (“CCPA”), Cal. Civ. Code § 1798.100-1798.199 (Deering 2018), enacted a sweeping first-in-the-nation regulatory overhaul. The CCPA expanded consumer data protection laws by requiring large businesses operating in California to, among other things, notify their customers about the nature of their data collection (including what type of data is being collected and the purpose of the data), allow customers to view and delete their data from the company’s databases, and allow customers to view information about the sale of their data and to halt the sale of their personal information. However, the CCPA currently provides for a limited enforcement scheme, allowing for a private right of action by a California resident only when an unauthorized “exfiltration, theft, or disclosure” results from the company’s “failure to maintain reasonable security procedures.” For violations not involving a data breach, the company is allocated a 30-day cure period, after which the Attorney General of California may file suit. S.B. 561, introduced by Senator Hannah-Beth Jackson, seeks to remedy this by expanding the CCPA’s private right of action to any California consumer whose “rights under this title are violated” and eliminating the 30-day cure period. In other words, S.B. 561 provides for a private right of action for any alleged violation of the law, not just for data breaches.
Moreover, the proposed amendment eliminates a company’s ability to seek legal opinions from the Office of the Attorney General on its compliance with the CCPA. Instead of providing companies with assurances that their practices comply with state law, the Act now specifies only that the Attorney General “may” publish general compliance guidance.
The amendment, which is backed by California Attorney General Xavier Becerra, is the culmination of years of growing popular discontent regarding the booming consumer data industry, and has sparked intense backlash among lobbyists and industry groups representing large companies, who worked hard to limit the scope of the initial CCPA. For these companies, S.B. 561 is a nightmare scenario.
The amended bill would increase the potential liability for large companies operating in California. It would likely spark many class action lawsuits as consumers can now assert claims for any violation of the CCPA, and may do so well before the Attorney General releases general guidance on compliance with the law. Further, discovery resulting from the investigation of a single alleged violation could uncover even more actionable issues.
Finally, other states are expected to follow California’s lead, meaning that any changes to the CCPA could affect the regulatory environment for data privacy nationwide. Looming over state privacy laws, however, is the prospect of a federal bill that would preempt the enforcement of state bills. But in the current political environment, it is unlikely that Congress would weaken California’s protections. So for now, for better or worse, the states take the reins.