As the Jan. 1, 2020 operational date for the California Consumer Privacy Act (“CCPA”) approaches, the balance between consumer rights and company responsibility continues to be vigorously debated. As this blog predicted when we discussed the first set of amendments to the CCPA, negotiations and amendments to the CCPA continue. We review the most recent Feb. 22, 2019 consumer friendly amendment now—Senate Bill 561 (“SB 561”).
The Current State of the CCPA
SB 561 modifies the CCPA’s enforcement provisions so that companies must be more vigilant than ever before when processing consumer personal information, or else find itself subject to a private cause of action. The current state of the CCPA is as follows:
- Private Right of Action: actions are limited to when a consumer’s nonencrypted or nonredacted personal information is subjected to unauthorized access, exfiltration, theft, or disclosure as a result of a business’ violation of its duty to implement and maintain reasonable security procedures;
- 30-day Cure Period: there is a 30-day period where the violator may cure the CCPA violation after being provided written notice by the consumer of the alleged violation. If cured and confirmed to the consumer in writing, the consumer is then precluded from initiating the private action; and
- Company Obligations: the Attorney General must provide “opinions” to businesses and third parties who seek them, in order to provide guidance on how to comply with the CCPA.
SB 561’s Consumer Friendly Amendments
SB 561 substantively expands consumers’ rights under the CCPA and amends, among other provisions, the following:
- Expansion of Private Right of Action: consumers whose “rights under [the CCPA] are violated” may now initiate a private right of action against the company, so a private right of action is no longer limited to only when there is a data breach;
- Elimination of the Curing Period: the 30-day safe-harbor period is eliminated, so consumers are able to initiate a private action regardless if the company cures its violation; and
- Increasing Diligence for Companies: The Attorney General only needs to provide “general guidance” via publications instead of providing opinions to businesses and third parties seeking specific guidance regarding compliance with the CCPA.
If passed, the amendments demonstrably expand consumers’ rights and put a heavier onus on the parties required to comply with the CCPA. Most notably, the expansion of the private right of action for all CCPA violations, not just those stemming from a data breach, may find violators subject to additional litigation. Moreover, by not being able to seek opinions directly from the Attorney General, businesses will need to become more vigilant in following any CCPA regulation that governs it.
The amendments conform with the drafters’ intent behind the CCPA. State Senator Hannah-Beth Jackson, who introduced SB 561 along with the California Attorney General, stated that “If [companies are] violating your right, they’re probably violating the rights of a lot of other people,” and that “The purpose of this litigation is not to punish this behavior, it’s to deter it. It’s to make these companies comply with the law. If there’s no punishment, if there’s no accountability, they’re going to keep doing it because it makes them money.”
While Jan. 1, 2020 still seems distant, it is never too early to begin preparing your company to be in compliance with the CCPA. As we saw with the European Union’s General Data Protection Regulation (“GDPR”), many companies were wholly unprepared to become compliant with GDPR.
For the companies or entities subject to the CCPA, we emphasize the need to follow the continuing amendments proposed or made to the CCPA, and determine how that affects your business. Strategizing in advance about how your company will achieve, or maintain, compliance with the CCPA is imperative as consumer rights will certainly increase the burden placed on businesses to protect privacy rights.
To review this blog’s previous analysis of the CCPA, click here for part 1 and here for part 2. For more information on the CCPA or other privacy matters, please contact any member of Taft’s Privacy and Data Security Team.