Greenberg Traurig LLP
In late February 2019, Attorney General Xavier Becerra and several state legislators proposed substantial amendments to the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”), that, if adopted, would expand the scope of the private right of action under the Act and scale back procedural safeguards enacted in the original statute that would have potentially shielded companies from greater liability.
The CCPA is a sweeping legislative act designed to broadly regulate the collection and use of personal information about California residents. The CCPA confers on California residents the right to (1) be notified of the personal information collected from them and for what purpose, (2) request disclosure of the specific personal information that a business has collected from them, (3) opt out of the collection of their personal information, and (4) demand that their personal information be deleted. The CCPA requires businesses to adjust internal practices and procedures to ensure compliance, notify residents of their rights under the law on company websites and in privacy policies, and require their third-party service provides to adhere to the law as well. The law applies to any company doing business within the State of California that collects consumers’ personal information and meets one of the following thresholds: (1) has annual gross revenues in excess of $25 million, (2) that buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices (whether alone or in combination), or (3) derives 50% or more of its annual revenues from selling consumers’ personal information.
One of the main critiques of the CCPA has been that its provisions are not clearly written or lacking explanation (for example, what constitutes “reasonable” security measures, how can a company “cure” a violation, and what a “household” within the definition of a “consumer” encompasses) and, therefore, difficult to implement, which those closely watching had hoped would be resolved by legislative amendment. However, rather than providing more clarity, the amendments proposed in 2019 seek to remove certain procedural safeguards to businesses attempting to comply with the CCPA’s terms and otherwise indicate that the law will have an even broader scope than as originally enacted.
First, Attorney General Becerra and Senator Hannah-Beth Jackson proposed SB 561, which would amend the private right of action under the CCPA to extend to any consumer whose rights under the CCPA are violated. This is a significant departure from the limited private right of action in the current statute, which only extends to consumers whose personal information is compromised in a data breach. This expansion, if enacted, coupled with the availability of statutory damages up to $750.00 per consumer per violation, will likely lead to even more of a proliferation of lawsuits and putative class actions under the statute than presently anticipated.
Second, SB 561 proposes to remove several business safeguards built into the CCPA. The bill proposes to remove the notice and cure provision, which as currently written, allows a business thirty (30) days to cure a violation of the CCPA and, if cured, avoid penalties from the Attorney General’s office and bar a consumer lawsuit over the violation. SB 561 also proposes to remove a business’s ability to seek guidance from the Attorney General on how to comply with the CCPA, and proposes instead that the Attorney General “may publish materials” that provide “general guidance on how to comply.” These proposed amendments appear to address Attorney General Becerra’s expressed concern that implementing the law will demand an unreasonable amount of resources from his office. Nevertheless, since the ability to cure and to seek advice on compliance had provided business some ability to dodge hefty civil penalties or statutory damages for the failure to implement ambiguous directives, removing those provisions does not bode well for companies seeking to limit their exposure.
Finally, Attorney General Becerra and Assembly Member Marc Levine proposed AB 1130, which would expand the scope of personally identifiable information that triggers data breach notification requirements and which, if compromised, could subject a business to statutory damages under the CCPA. AB 1130 would add passport numbers and biometric information (e.g., fingerprints, retina scans, etc.) to the definition of personal information under California’s data breach notification law. The proposed amendment appears to be, in part, a direct response to recent data breaches potentially involving passport numbers.
It remains to be seen whether SB 561 or AB 1130 will become law by the September 13, 2019 deadline for the bills to pass, or if other seeming holes in the statute will be addressed before the law goes into effect on January 1, 2020.
Rebekah Guyon is a litigation attorney in Greenberg Traurig LLP’s Los Angeles office. Her practice focuses on defending cybersecurity and data privacy class action suits and in representing clients in technology, entertainment, and intellectual property litigation. She may be reached at GuyonR@GTLAW.com. The views she expresses are her own and not those of Greenberg Traurig LLP or its clients.