Last week, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, which would amend the California Consumer Privacy Act in the following ways:
Allows consumers to bring a private cause of action if their rights are violated. This updates the current CCPA language such that consumers would no longer need to demonstrate unauthorized access and exfiltration, theft, or disclosure of their non-encrypted or non-redacted personal information to bring a private cause of action. The violation of their rights alone would suffice. (Note: this aligns closely with the decision made by the Illinois Supreme Court last month to allow a Biometric Information Privacy Act (BIPA) suit to proceed, despite the fact that no appreciable "harm" could be demonstrated from the violation of BIPA provisions by Six Flags).
Removes the 30-day "grace period", which currently allows businesses to "cure" an alleged violation within 30 days without penalty.
Removes the ability for businesses or third parties to seek the AG's guidance on how to comply with the law. Instead, the AG may provide materials with general guidance, but individual consultation is not provided for in this amendment.
If Illinois' BIPA is any indication, businesses subject to the CCPA should be concerned about the introduction of a private cause of action for violations without demonstrated harm. Currently, there are over 200 BIPA suits pending in the state of Illinois related to BIPA violations, and businesses without defensible compliance practices in place are sure to feel the consequences of noncompliance.
If passed, the risk to businesses for noncompliance with the CCPA will dramatically increase...Consumers, without any demonstration of harm, would have the ability to file suit for any alleged violation of their rights under the CCPA. Additionally, if the proposed bill passes as drafted, businesses would no longer have the opportunity to cure the violation within 30 days before a private lawsuit suit could be filed or before the Attorney General could initiate an action. - Elaine F. Harwell, Procopio Cory Hargreaves & Savitch
Jordan Lawrence has been serving legal and compliance executives for decades. Our services provide clear and defensible processes that help companies meet specific legal and regulatory obligations for CCPA Compliance in the inter-related fields of data inventory management, vendor risk profiling, and data retention and disposal. Learn more about our work around CCPA.