Cal AG Offers Legislation Making CaCPA More Onerous and Expand Private Right of Action

Cal AG Offers Legislation Making CaCPA More Onerous

On Monday, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson today unveiled  Senate Bill 561 to amend the California Consumer Privacy Act (CaCPA) passed last year in three critical respects as described in their joint press release:

(1) Removes the Attorney General’s requirement to provide 30-day notice before taking action, essentially a “get out of jail free card” for bad actors.

The 30-day notice requirement included in CaCPA was not a gift to businesses but a continuation of existing law.  For example, the California Online Privacy Protection Act (CaOPPA) which was passed in 2003, requires websites collecting information about California consumers to post a privacy policy.  A business in violation of CaOPPA only if the business “fails to post its policy within 30 days after being notified of noncompliance.”  This is not a “get out of jail free card,” but a safe harbor for well-meaning businesses who may not be fully aware of their obligations.

(2) Removes an onerous requirement to provide legal opinions directly to any business or third party, which would unnecessarily divert public funds and resources from enforcement.

The Attorney General has objected to language in CaCPA that allows “[a]ny business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.”  This is not unusual in complex regulatory schemes.  For example, the Internal Revenue Service provides “Private Letter Rulings” to address questions as to whether certain measures would comply with existing law.  The Private Letter Rulings are published and offer guidance and clarity to the tax bar as a whole.

Clearly, the legislature thought this might be necessary for such a new and comprehensive statutory regime as has been adopted in California.  The Attorney General’s Office, however, has resisted this and apparently does not want to devote its resources to facilitating compliance.

(3) Allows Californians whose rights have been violated under the CCPA to seek justice.

The CaCPA allows for enforcement by the Attorney General and a private right of action for data breaches which cause the greatest consumer harm.  Expanding a private right of action to any violation of CaCPA regardless of the extent of actual damage will create a privacy litigation frenzy.

Senator Jackson is the Chair of the Senate Judiciary Committee which, combined with the support of the Attorney General, makes this legislation very likely to advance.  Businesses need to let themselves be heard on this legislation.  Click here to find out who your representatives in the California Senate and Assembly and how to contact them.

---

BILL TEXT

THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

SECTION 1.

Section 1798.150 of the Civil Code is amended to read:

1798.150.

(a) (1) Any consumer whose rights under this title are violated, or whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.

(2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

(b) Actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business. No notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title. If a business continues to violate this title in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.

(c) The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law. This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitution.

SEC. 2.

Section 1798.155 of the Civil Code is amended to read:

1798.155.

(a) Any business or third party may seek the opinion of the The Attorney General for may publish materials that provide businesses and others with general guidance on how to comply with the provisions of this title.

(b) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.

(c) Any civil penalty assessed for a violation of this title, and the proceeds of any settlement of an action brought pursuant to subdivision (b), shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160 with the intent to fully offset any costs incurred by the state courts and the Attorney General in connection with this title.