Currently the CCPA only provides a private right of action to any consumer whose unencrypted sensitive-category information has been breached as a result of a business’s violation of its duty to “implement and maintain reasonable security procedures and practices.”1 The Act does not provide for a private right of action for an alleged failure to disclose the sale of information, or an alleged failure to offer (or honor) an opt-out of the sale of information, and further states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”2
It is worth noting that amendments have been proposed to the CCPA which might allow a private right of action for any alleged violation of the statute. One of those amendments –Senate Bill 561 – is currently on hold within the Senate Appropriations Committee for an evaluation of its potential fiscal impact. It is possible that the Senate Bill may be enacted in 2020 after its fiscal impact has been evaluated.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. CCPA, § 1798.150(a)(1) (referring to those categories of personal information specified under Cal. Civil Code 1798.81.5(d)(1)(A).
2. CCPA, § 1798.150(c).