Amendments Proposed to California Consumer Privacy Act (CCPA) Increase Burdens and Penalties on Covered Businesses

Anush Emelianova, Ehren Halse, Phyllis Sumner, Anne Voigts
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

Businesses in California and around the country have taken notice of the twists and turns taken so far concerning the passage of the CCPA.  The California legislature passed the CCPA as an alternative to an even stricter ballot measure that had looked likely to pass with voters.  However, as K&S has previously noted, the current state of the new privacy law is expansive, ambiguous in some respects, and compliance appears to be quite onerous.  Many observers also hoped that the CCPA’s January 1, 2020 compliance date would give California’s legislature a chance to iron out some of the most controversial and/or ambiguous parts of the law before they took effect. With the recent close of the legislative calendar, however, pending bills could actually give the CCPA more teeth, by expanding the potential for private lawsuits for non-compliance and removing key paths to compliance for covered businesses.

BACKGROUND: WHERE DO THINGS STAND?

The CCPA was enacted in June 2018, and amended in September. In brief, it applies to any business that collects the personal information (“PI”) of California residents, as long as one of the following three conditions is met: the business (i) has annual gross revenues exceeding $25 million, (ii) annually buys or sells personal information of 50,000 or more California consumers, households, or devices, or (iii) derives more than 50% of its annual revenue from selling California consumers’ personal information.[i] In general terms, covered businesses must:

  • be prepared to disclose, in response to California consumers’ requests, what kind of PI the business holds on them, as well as providing (if requested) copies of the PI itself;
  • upon request, delete California consumers’ PI from their records;
  • provide notice prior to collecting PI; and
  • permit California consumers to opt out from the sale of their PI (without unduly discriminating between consumers who opt out and those who do not).

The CCPA authorizes rulemaking by the California Attorney General (“AG”) with respect to implementation and enforcement, and in early 2019, AG Xavier Becerra solicited public comment on these topics.[ii] The AG has stated publicly that he intends to publish a Notice of Proposed Rulemaking in the fall, and the new rules will take effect no later than July 1, 2020.

S.B. 561: THE ATTORNEY GENERAL’S PROPOSED AMENDMENTS

While the public waits on the AG’s guidance, the AG has turned to the Legislature with his own comments. On February 20, Supervising Deputy Attorney General Stacey Schesser addressed the State Assembly at an informational hearing regarding concerns and proposed amendments to the CCPA. Ms. Schesser noted that the AG’s office did not have the resources to act as the principal enforcer of California consumers’ rights under the new law. In particular, she suggested that it would be impractical for the AG to provide individualized guidance on compliance in response to businesses’ requests, as the CCPA requires.[iii] She described the statute’s thirty-day period for businesses to cure allegations of noncompliance[iv] as providing only a “fix-it ticket,” and suggested that private plaintiffs would be better suited to the task of enforcing their privacy rights directly against businesses.

Two days later, on the final date for new bills to be introduced during the 2019 session,[v] California Senator Hannah-Beth Jackson introduced Senate Bill 561, which would implement the AG’s policy recommendations on all of the above:

  • Private right of action: The CCPA currently provides private plaintiffs the right to sue only in the event of a data breach that exposes “nonencrypted or nonredacted personal information” due to the defendant’s failure to maintain reasonable security procedures.[vi]B. 561 would expand this right to permit suits for violation of any other consumer rights under the CCPA.[vii] Not only would the bill permit recovery of actual damages, but this change would allow plaintiffs to recover statutory damages (ranging from $100-$750) for a violation of any of the CCPA’s provisions. As experience with the federal Telephone Consumer Protection Act has shown, statutory damages can yield tremendous liabilities and incentivize zealous class-action enforcement.[viii]
  • AG guidance: At present under the CCPA, “[a]ny business or third party may seek the opinion of the Attorney General for guidance on how to comply with” with CCPA. As Ms. Schesser’s testimony noted, this obligation could be costly, and would arguably create a conflict of interest with the AG’s obligation to enforce the law.[ix]B. 561 would instead provide only that the AG may (but, implicitly, is not required to) publish general materials on compliance.[x]
  • Cure period: As noted above, the CCPA’s main enforcement mechanism includes a mandatory thirty-day period for notified businesses to cure their alleged violations before the AG may commence an action.[xi] The new bill would eliminate this requirement, thus allowing the AG to institute an enforcement action without a prior warning.[xii] (The proposed amendment would leave in place the separate thirty-day cure period (for curable violations) required for private plaintiffs seeking statutory damages). Statutory fines (not more than $2500 for violations generally, or not more than $7500 for intentional violations) would remain unchanged.

CONCLUSION

While the AG’s rules are likely to clarify some areas of the CCPA, the proposed amendments set forth in S.B. 561 reflect the AG’s reluctance to act as the principal enforcer of California consumers’ rights under the new law. If passed, these amendments would raise the stakes for noncompliance for companies and reduce or eliminate protections designed to help companies ensure compliance with the law.

[i] Cal. Civ. Code § 1798.40(c).

[ii] The AG accepted written comments until March 8, 2019 at PrivacyRegulations@doj.ca.gov.

[iii] See Cal. Civ. Code § 1798.155(a).

[iv] See id. § 1798.155(c).

[v] California State Assembly, 2019 Legislative Deadlines (Oct. 31, 2018) available at https://www.assembly.ca.gov/legislativedeadlines.

[vi] See Cal. Civ. Code § 1798.150(a).

[vii] S.B. 561 § 1.

[viii] See, e.g., “Pharma and Medical Device Class Actions: Three Trends to Watch,” Dec. 20, 2018, available at https://www.kslaw.com/news-and-insights/pharma-and-medical-device-class-actions-three-trends-to-watch.

[ix] See also Letter from Attorney General Xavier Becerra to Assemblymember Ed Chau and Sen. Robert M. Hertzberg, dated Aug. 22, 2018 (arguing that the guidance provision would require “legal counsel at taxpayers’ expense to all inquiring businesses” and could create a conflict of interest).

[x] S.B. 561 § 2.

[xi] Cal. Civ. Code § 1798.155(b).

[xii] S.B. 561 § 2; see Cal. Civ. Code § 1798.150(b).

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide