Consumer Privacy Act Updates: Senate Seeks to Remove Protections for Businesses
California State Senator Hannah-Beth Jackson (D-Santa Barbara) recently introduced a bill to make the California Consumer Privacy Act even tougher. See report here. Of particular note, Sen. Jackson’s bill would remove a 30-day cure period for businesses and would allow for a robust private right of action. See text of SB 561 here.
Removing the Notice Requirement and the Cure Period
The California Consumer Privacy Act was passed in the summer of 2018. The Act has already been amended once and more amendment efforts are underway. Consumer groups are attempting to make the Act stronger and business groups are attempting to mitigate the Act’s effects on business operations. Most of the Act is due to take effect on January 1, 2020 (though some provisions will not become effective until June 1, assuming that the California Attorney General issues proper regulations).
One effort to make the Act stronger is to remove to the 30-day cure period. Under the current version of the Act, businesses have a safe harbor of sorts and no legal action can be taken unless they are notified of a violation and the business cannot or does not cure the violation within 30 days of notice. That is a significant protection since two steps are necessary and, essentially, the failure-to-cure creates an intentional or knowing element to violations of the Act. See Cal. Civil Code, §1798.155(b). Sen. Jackson’s bill would eliminate the notice requirement and the cure period and would allow for immediate legal action.
Strengthening the Private Right of Action
Under the current version of the California Consumer Privacy Act, the Attorney General is given most of the responsibility of enforcing the Act. Under section 1798.150, consumers can only sue in a private lawsuit if their personal information is hacked or lost or leaked due to some negligence by the business in implementing or maintaining security procedures. Further, as noted above, any business would need to be notified and given a 30-day opportunity to fix the problem. While in practice there would be no ability to “fix” the problem if the data was hacked or lost, the notice requirement is a hurdle which must be jumped in order to file the lawsuit. Any impediment hinders the filing of cases and, in that sense, is a protection for businesses.
Under Sen. Jackson’s proposed bill, the private right of action would be expanded to allow a lawsuit for “any consumer whose rights under this title are violated.” The Attorney General is in favor of expanding private rights of action; the Attorney General is concerned about being the prime mechanism for enforcement since enforcement actions are likely to be costly and time-consuming.
Allowing General Opinions From the Attorney General’s Office
Finally, Sen. Jackson’s amendment seeks to make the enforcement for the Attorney General’s Office easier and less administratively burdensome. Under the current Act, the Attorney General is required to give case-by-case guidance with respect to enforcement questions. The proposed changes would remove this option and allow the Attorney General’s Office to issue general guidance about enforcement questions.
Call San Diego Corporate Law Today
The Act has the potential to significantly affect how San Diego businesses operate and violations of the Act have the potential to be very costly. We here at San Diego Corporate Law are watching developments closely. For more information, call corporate attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard’s law practice is focused on business, transactional, and corporate matters and he proudly provides legal services to business owners in San Diego and the surrounding communities. Call Mr. Leonard at (858) 483-9200 or contact him via email. Like us on Facebook.