The California Senate and Assembly unanimously approved the California Consumer Privacy Act (CCPA) on June 27, 2018 (AB 375), and Governor Jerry Brown signed it into law the next day.
WHAT THE CCPA DOES
The CCPA gives consumers the right to know what sort of information companies are collecting from them, what the purpose of collecting that information is, and with whom the companies are sharing that information. Consumers have the ability to tell companies to delete their personal information, and not to share or sell the information, and the
companies are not obligated to treat the consumers any differently as a result of their decision to opt out. Under the CCPA as it currently reads, companies and employers who are subject to the law must be ready to comply by January 1, 2020.
THE CCPA’S PRIVATE RIGHT OF ACTION
As drafted, the CCPA includes a private right of action for consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
A consumer may bring a lawsuit under the Act’s private right of action if he or she is able to meet certain requirements. Before initiating any lawsuit against a business for statutory damages on either an individual or classwide basis, a consumer must provide that business with 30 days’ written notice identifying the specific provisions of the CCPA that the consumer alleges have been or are being violated. If the business is able to cure the alleged violation and provides the consumer with notice that it has done so and that it will not continue to violate the CCPA, the consumer cannot initiate a lawsuit against that business seeking statutory damages.
DEVELOPMENTS AFTER ENACTMENT
After AB 375 was enacted, various consumer groups weighed in with concerns about the bill. Attorney General Xavier Becerra chimed in with a letter addressed to the CCPA’s sponsors on August 22. Notably, Becerra proposes that the private right of action should allow consumers to seek legal remedies for themselves to protect their own privacy, instead of the “limited right to sue” they are afforded under the CCPA only if they become a victim of a data breach. Becerra cautions that this limited private right of action will increase his need for enforcement resources. Where the line is ultimately drawn will be informative as businesses and employers prepare to respond to the enactment of the CCPA and begin to understand the parameters of lawsuits brought by individuals.