Just when we thought we had an remote understanding on how the California Consumer Privacy Act (“CCPA”) would work from an enforcement and penalty perspective, Senate Bill 561 was introduced on February 22. The bill has the full support of Attorney General Xavier Becerra and appears to be heading for a vote; the odds are favoring passage.
It is not surprising that the Attorney General supports the proposed changes because they remove some of the biggest headaches for enforcement and administration. These include elimination of the Attorney General’s obligation to provide guidance to businesses, upon request, about how to comply with the CCPA, and removal of a 30-day cure period before enforcement actions can begin.
In addition to relieving the Attorney General’s administration and enforcement constraints, SB 561 contains a more drastic and significant change. By the removal of one short sentence, SB 561 expands the individual cause of action for statutory damages beyond narrowly defined data breach situations (unauthorized access and exfiltration, theft, or disclosure of their non-encrypted or non-redacted personal information) and throws open the doors. Under the proposed version, any consumer with a claim that his or her CCPA rights are violated (presumably in any manner) may bring a civil suit and claim statutory damages of up to $750 per incident. This change, combined with the ability for claims to be pursued on class-wide basis, could be a potential bonanza for plaintiffs’ attorneys.
The proposed revision keeps the 30-day cure period for individual claims, although the grace period is removed for the Attorney General’s enforcement actions. This is some small relief for individual claims, although it is still difficult to imagine how a business could “cure” a data breach or other incident violation, such as a failure to respond to a consumer request in the proscribed period of time. It is conceivable that the 30 day cure could provide some defense against de minimis technical violations, like the failure to provide appropriate notification language, disclosures, or contact information for consumers. Arguably, even the failure to provide an adequate response to a cure notice (“an express written statement that the violations have been cured and that no further violations shall occur…”) could itself raise a claim for statutory damages.
From a business and commercial compliance standpoint, it is starting to appear that the stakes will be even higher on January 1, 2020.