In April 2019, the California Assembly Privacy and Consumer Protection Committee rejected a proposal known commonly as the “Privacy for All Act” (AB-1760), which among other things would have provided a private right of action for all violations of the California Consumer Privacy Act (CCPA). The rejection of AB-1760 was a blow to consumer privacy advocates. A similar measure, SB-561, would also have provided a private right of action for all privacy violations. That bill has also been defeated, meaning that the CCPA’s private right of action provisions will not be expanded this year.
SB-561 would have provided consumers a private right of action to sue companies on their own behalf for any violation of the CCPA. Presently, the CCPA provides that the consumer private right of action is limited to violations of the law’s data security requirements, where those violations lead to unauthorized access and exfiltration, theft or disclosure of personal information. Additionally, SB-561 would have provided companies with a mechanism to seek the California Attorney General’s opinion on CCPA compliance. The proposed bill would also have removed the CCPA’s “cure” provision, which provides that companies have a 30-day period to cure the alleged violations of the CCPA prior to initiation of a civil lawsuit.
For procedural reasons, the California Senate Appropriations Committee’s failure to advance SB-561 means that the Bill will not advance to a vote by the California Senate or Assembly prior to the May 31, 2019 legislative deadline, effectively killing any chance the bill will advance in 2019.
As such businesses can take some comfort that the private right of action will not be expanded – at least not this year. Whether the Legislature takes the issue up again in 2020 is one of the many unknown features of this fast-evolving law.