California's Senate voted on Thursday to hold SB-561, effectively killing the bill for 2019. The CCPA gives consumers the right to sue a business for data breaches, and SB-561 would have expanded the right to sue for any violation of the CCPA, even technical privacy violations. The death of the bill means that the private right of action will remain limited to data breaches, and the California legislature will not revisit expansion until 2020 at earliest.
Although SB-561 is dead (for now), the CCPA still has teeth. As a quick recap of potential penalties and damages available under the CCPA:
- Starting the sooner of July 1, 2020 or 6 months after the California Attorney General issues final regulations, the California Attorney General may bring a civil action against a business for any noncompliance, and recover civil penalties up to $2,500 per violation or $7,500 per intentional violation as well as subject to the business to an injunction.
- Starting January 1, 2020, a consumer may bring a civil action against a business for a data breach as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices, and (i) recover statutory damages between $100 to $750 per consumer per incident or actual damages (whichever is greater); (ii) obtain injunctive or declaratory relief; and (iii) obtain any other relief the court deems proper.
Because the CCPA allows consumers to bring class actions without proving actual damages, we expect an onslaught of class action litigation starting next January, similar to what we have seen with the Telephone Consumer Protection Act. For example, a data breach that affects 10,000 consumers could lead to a $7.5 million recovery (10,000 consumers x $750 per consumer = $7.5 million). While no business can definitively prevent a data breach, implementing strong preventative measures now will go a long way in defeating class action litigation next year.
We will continue to track the status of any proposed amendments to the CCPA. For more information on the proposed amendments and where they are in the legislative process, please see our recent post.
This post first appeared in Frankfurt Kurnit's Focus on the Data blog (www.focusonthedata.com). It provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.