A recent bill to amend California’s landmark data privacy law seeks to expand potential liability for violations—bringing little comfort to those already concerned about the risks and challenges associated with achieving compliance in advance of the law’s upcoming effective date.

The proposal—Senate Bill 561, introduced on February 25, 2019, by California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson—would amend the California Consumer Privacy Act (“CCPA”) to expand the scope of the consumer private right of action and to remove a notice-and-cure safe harbor from Attorney General enforcement.

The CCPA is due to become effective January 1, 2020.  Among other things, the CCPA establishes a consumer right to request details from covered businesses about the collection of personal information, the purpose of such collection, and third parties with whom the information has been or may be shared.  Covered businesses are also required to delete personal information upon request (subject to certain exceptions);  must disclose certain information regarding their sale of consumer data; and must provide consumers the right to opt out of having their information sold, without discriminating against those who do opt out.

The CCPA applies to any business that (i) collects personal information about consumers, defined as natural persons who are California residents; (ii) does business in California; and (iii) meets at least one of three criteria: (a) has annual gross revenues exceeding $25 million; (b) buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices annually; or (c) derives 50 percent or more of its annual revenue from selling consumers’ personal information. Like Europe’s GDPR, the CCPA defines “personal information” broadly, although the definitions under the two rules are not identical, as the CCPA also encompasses information that can be linked to “household[s],” even if not to individual consumers.

In its current form, the CCPA provides a private right of action only for consumers whose nonencrypted personal information is stolen or leaked as a result of a business’s failure to implement and maintain reasonable security procedures and practices.  Remedies available to consumers under the rule are the greater of actual damages or statutory damages of $100 to $750, but notice and a 30-day opportunity to cure must be provided to the business before a consumer may seek statutory damages.  Violations of other provisions of the act are subject to enforcement only by the California Attorney General, who may bring an action for a civil penalty of up to $2,500 per violation or $7,500 per intentional violation.  Actions by the Attorney General for violations of the act are also subject to a 30-day notice-and-opportunity-to-cure requirement.

Senate Bill 561 proposes the following changes to the CCPA:

  • Expanding the consumer private right of action to allow consumers to bring suit for any violation of the CCPA, rather than only for theft or leakage of personal information due to the failure to maintain reasonable security precautions;
  • Eliminating the 30-day notice-and-opportunity-to-cure requirement before the California Attorney General may bring an action for a violation (but leaving in place the 30-day cure period for the private right of action); and
  • Removing the California Attorney General’s obligation to provide guidance opinions in response to requests from businesses on CCPA compliance, such that the Attorney General would only be permitted (but not required) to publish materials providing “general” guidance on compliance.

If adopted, this amendment could substantially increase potential liability for businesses that violate the CCPA and eliminate some current safe harbors.  The proposed amendment does not address other potential issues within the CCPA, including the breadth of its definition of “personal information” or the lack of a distinction between sensitive and nonsensitive personal information.

With the effective date of the CCPA less than one year away, covered businesses should already be active in preparing for compliance.  Davis Polk partner Avi Gesser’s advice for preparation is featured in a Cybersecurity Law Report article on considerations for compliance plans and misconceptions surrounding the CCPA.

We will be monitoring updates to the CCPA closely here at the Davis Polk Cyber Blog and will post regularly on any significant developments.

The authors gratefully acknowledge the assistance of law clerk Stephen Rettger in preparing this entry.