As discussed in our prior post, the California Consumer Privacy Act of 2018 (the “Act”) is expected to be modified by the California legislature prior to its January 1, 2020, enforcement deadline. In fact, while Governor Brown signed the legislation less than two months ago, one effort to amend the law already is underway through California Senate Bill 1121.
However, those hoping for large scale changes to the law may have to wait. According to the Assembly Bill Analysis (available here), Senate Bill 1121 only is intended to “make a variety of technical, clarifying, and non-substantive changes to correct drafting errors in the new law.” The examples of such “drafting errors” given by the Bill Analysis are:
- Clarifying that the private right of action is limited to the data breach provision of the Act;
- Replacing the term “verified request” with “verified consumer request” throughout the Act to accurately reflect the definitions contained therein;
- Correcting the plural possessive use of “business” throughout the Act;
- Reorganizing certain paragraphs to ensure clarity;
- Striking duplicative sentences; and
- Clarifying that the rights and obligations in the Act shall not be construed to infringe on First Amendment-protected newsgathering activities.
While many of the changes are, in fact, just technical fixes, the proposed change to the private right of action could be significant for businesses subject to the Act. In our prior webinar on the Act, we discussed how plaintiffs’ lawyers could plausibly argue that the current private right of action language is broad enough to enforce the privacy rights provided under the Act.
Senate Bill 1121 would attempt to address that by adding limiting language to the private right of action, providing that “[t]he civil action established in this section shall apply only to violations of subdivision (a).” Subdivision (a) of Section 1798.150 now states:
Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
Frankly, it is arguable whether Senate Bill 1121’s proposed language is the best method to limit the private right of action to just data breaches. A better (or additional) fix would be to undo the last minute change to this section by deleting “an unauthorized access and exfiltration, theft, or disclosure” and replacing it with “a security breach of the business as described in Section 1798.82.”
In any event, at a minimum, having the Assembly Bill Analysis state that the proposed change is intended to limit the private cause of action to the data breach provision of the Act is certainly welcome news for businesses subject to the Act.
Finally, while Senate Bill 1121’s stated purpose is only to address non-substantive issues, both privacy and business advocacy groups have used the bill as an opportunity to publicly state their positions on how the Act should (or should not) be amended.
In the end, at least one thing appears certain – there is going to be a lot more to come on the Act before the January 2020 enforcement deadline.