Print PDF


RSSAdd blog to your RSS reader

All Topics

Contact Us



New Bill Introduced in California Aims To Strengthen and Clarify CCPA

As we have previously reported, California’s Consumer Privacy Act (the “CCPA”) was passed in 2018 and goes into effect in January 2020, which provides broad protections for consumers in their ability to control the use of their personal data.  You can see our prior article here.  On February 25, 2019, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced SB 561, legislation intended to strengthen and clarify the CCPA. The Attorney General’s press release can be viewed here.  Senator Jackson has stated that the bill is designed to ensure that “the most significant privacy protections in the nation are robustly enforced”. 

The bill provides for three key points of clarification and expansion with respect to the CCPA.

First, the CCPA specifically authorizes that if a consumer’s non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’ failure to maintain reasonable security procedures, that the consumer may bring a claim against the business for various damages. This bill would expand a consumer’s right to bring a civil action for damages for any other violations of the CCPA.

Second, as currently enacted, the CCPA states that a business or third party may seek the opinion of the Attorney General for guidance on how to comply with the act. The bill instead specifies that the Attorney General “may publish materials that provide businesses and others with general guidance on how to comply” with the law, effectively removing a business’ right to seek specific guidance from the Attorney General.

Finally, the CCPA currently states that any business, service provider, or other person that violates the act is liable for a civil penalty for each violation, and that a business is deemed to be in violation of the act if it fails to cure an alleged violation within 30 days after being notified of such alleged violation. The bill removes this 30 day cure period, thereby creating a situation whereby businesses may be subject to civil penalties at the time an alleged violation occurs.

Takeaway: This bill undoubtedly strengthens the CCPA, providing for a more expansive private right of action, in addition to restricting two measures included in the current law that arguably protect businesses to some extent. Data protection is clearly a hot topic right now, particularly in California. As the effective date of the CCPA continues to draw closer, we recommend that those businesses potentially affected by the data privacy law keep up to date on any legislative updates, including the passage of this bill.

Back to Page