Consumer private right of action blocked; penalties still strong under the California Consumer Privacy Act

As we’ve reported, the California Consumer Privacy Act of 2018 (the “CCPA”) was facing an amendment that would have seriously strengthened its enforcement power.  The amendment, introduced on February 22, 2019, by California State Senator Hannah Beth-Jackson, sought to expand the CCPA’s private right of action and remove the thirty-day cure period required for enforcement actions brought by the state’s attorney general. However, the amendment did not receive a vote in the Senate Appropriations Committee, effectively blocking the bill.

Specifically, the bill sought to allow consumers whose rights were violated under the CCPA to bring a private right of action. As the CCPA currently stands, the private right of action is limited to circumstances where a consumer’s non-encrypted or non-redacted personal information is part of a data breach that occurs as a result of a business’s failure to maintain reasonable security measures. Enforcement actions for other violations can only be brought by the Attorney General’s Office.

While SB 561 is blocked and no longer threatens to expand the consumers’ private right of action, penalties under the CCPA will still be powerful. Penalties for violations of the Act range from $100$750 per consumer per violation or actual damages, whichever is greater. Penalties also can include injunctive or declaratory relief. For actions for statutory damages, a consumer must provide a business with thirty days’ written notice and an opportunity to cure the violation. If the business cures, then the consumer cannot bring an action for statutory damages. For actual damages, a consumer is not required to provide thirty days’ notice and opportunity to cure.