SB 561 Seeks to Expand Consumers’ Ability to Sue Under the California Consumer Privacy Act (CCPA)

The Electronic Frontier Foundation posted an article on May 7th, titled: California: Tell the Senate To Empower You To Protect Your Own Privacy asking Californians to call their representatives in support of SB 561 to “be able to take companies that violate their privacy to court.” This title mischaracterizes the current state of CCPA and what rights the proposed SB 561 seeks to amend.

Screenshot of EFF's California: Tell the Senate to Empower You to Protect Your Own Privacy tweet.

States:94 percent of Californians think we should be able to take companies that violate their privacy to court. SB 561 would let us do that. Call @Portantino at (916) 651-4025 to speak up for your privacy rights and tell him to do the same.

The CCPA, as enacted, already empowers consumers to protect their privacy by taking a company to court to recover “actual damages or statutory damages between $100 and $750 per violation, whichever is greater,” while simultaneously barring class action waivers.

Due to the current language of the enacted CCPA, businesses will need to be prepared to defend class action privacy suits when the CCPA becomes enforceable on July 1, 2020.

Additionally the CCPA, as enacted, empowers California’s Attorney General to prosecute any company or individual person violating the CCPA for up to $2,500 (per incident) as allowed by Section 17206 of the Business and Professions Code. Meaning, if 1000 California consumers are affected and the violation cannot or has not been cured within 30 days after receiving notice of noncompliance from the California Attorney General’s office, the violator will be liable for up to $2.5 million in damages, or up to $7.5 million if the violation is deemed intentional or willful.

So after 30-day notice/right to cure period for an alleged violation, the CCPA currently allows:

  • Consumers the right to sue, individually or as part of a class action, for actual or statutory damages, injunctive relief, or other remedies the court may grant;
  • The CA Attorney General to prosecute CCPA violators by its own action or superintend a consumer’s private action.

What is SB 561 Seeking to Change?

What actually distinguishes SB 561 (the bill the EFF is asking consumers to support) from the current CCPA is not the creation of the consumers’ right to take companies’ to court for a violation of their privacy but the expansion of consumers’ rights regarding when, and on what grounds, they may sue.

1) SB 561 greatly expands the consumers’ ability to sue under the CCPA from:

“consumers whose personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”, to:

“consumer whose rights under this title are violated”.

Expanding consumers’ right to sue from the currently limited data breach scenarios to any violation of their rights under the CCPA, to include a violators failure to: 1) disclose what information the companies collected about the consumer; 2) delete consumer information, upon request; or (3) to prevent the sale of the consumer’s information to others; exponentially expands corporate legal liability and likelihood of having to defend against a lawsuit.

2) In addition to greatly expanding the grounds upon which consumers can bring private and class action suits against violators, SB 561 also seeks to remove the current 30-day privacy violation notice period which allows businesses the right to cure a privacy violation before a lawsuit can be initiated.

This 30-day notice/right to cure was instituted as a check and balance to granting consumers a private right of action, allowing class action suits, and statutory fines. Doing away with the notice period, while expanding the grounds upon which consumers can sue, means companies will now not just be subject to fines, they will have to defend lawsuits for failing to erase “any personal information about the consumer which the business has collected from the consumer” and to direct “any service providers” to do the same — within 45 days of receiving a “verified request” or “verifiable request” from the consumer. The legal fees and costs alone, independent of actual fines or damages, can cripple a business.

So What’s the Issue?

The issue is balancing the enforcement of consumers’ privacy rights; between imposing meaningful enforcement mechanisms like fines, right to sue, etc., to insure businesses are incentivized to respect consumers’ privacy rights and comply with the law and not litigating and fining corporations out of business.

Corporations affected by the CCPA are scrambling to implement the necessary privacy frameworks and infrastructure necessary to comply with the CCPA by the July 1, 2020 enforcement deadline. Continuing to amend the law and move the bar, while violations are subject to not just oversight and enforcement by California’s Attorney General, but private lawsuits by individual consumers or aggregated into a class action, is unduly burdensome to corporations and will undoubtedly cause a spike in litigation, further clogging California’s congested court systems. Tech law firms have been ramping up their tech and privacy litigation teams because attorneys fees and costs will be awarded when they prevail in a CCPA suit.

Even if California wants to expand consumer rights to allow consumers to bring suit for any and all violations of their rights under the CCPA, the state should wait to gauge how enforcing the CCPA (as currently enacted) actually impacts the Attorney General’s office, the court system, and businesses… before doing away with a 30 day notice/right to cure period prior to the initiation of a lawsuit.