CCPA SB 561

N.B. This article is a transcript of TheGDPRGuy Podcast Episode 10 – CCPA SB 561 from May 2019.

For those of you looking at the California Consumer Privacy Act (the CCPA), Senate Bill 561 was probably centre of your radar. But to the significant disappointment or glee of many you, depending on who you are, SB 561 is now dead, with the bill failing to receive a single positive vote in yesterday’s Senate Appropriations Committee.

To explore what this means for Californians and those looking to comply with the CCPA, I’ll dive into the bill, what it was trying to do and what its demise means.

In my recent podcast and blog post I described how the CCPA can be enforced in two ways, by the Attorney General and by individual Californian consumers. But the big difference is that the Attorney General can take action for non compliance of all parts of the CCPA. Whereas individual consumers are permitted to take private action only when their data has been breached. This led to many privacy activists demanding an amendment to the CCPA through SB 561 to extend this private right of action to apply to all compliance breaches, not just data breaches.

The Attorney General was a vocal sponsor of this extended private right of action, allowing the burden of enforcement to be spread far and wide. Having the resources to enforce the CCPA was clearly a concern, and in February he told reporters, “I don’t think the Legislature wants only the Attorney General’s Office to be able to protect people’s rights… We need to have some help.” And in April, Stacey Schesser (the Supervising Deputy Attorney General on Consumer Protection) told a senate hearing that they would only be able to enforce three cases per year.

Here’s Stacey Schesser talking about the Private Right of Action (or the “PRA” as she calls it) and the enforcement challenge for her office. YouTube: https://youtu.be/Qch9IOYtPd4?t=4780.

Stacey Schesser – Supervising Deputy Attorney General on Consumer Protection

SB 561 also sought to reduce the workload of the Attorney General’s Office by removing their requirement for them to advise companies on how to comply with the CCPA. But on Thursday 16th May, the Senate Appropriations Committee voted unanimously against the bill, killing SB 561 and giving the Attorney General a huge enforcement headache.

Privacy activists will be especially dismayed by the 30 day “right to cure” period remaining in force, which SB 561 would have removed. This right to cure gives companies a 30 day window to resolve compliance breaches after the Attorney General notifies them of a violation, and so avoid any fines. And with this cure period still in effect, I wouldn’t be surprised to see companies now taking a more risk tolerant approach to CCPA compliance. It reminds me of the expression, “It’s better to ask for forgiveness than ask for permission.”

And for Californian consumers, their private right of action now remains solely for negligent data breaches. Some lawyers have expressed delight at this, alleviating concerns over a potential flood of frivolous private litigation. Whilst a silent majority within the legal profession will no doubt be disappointed to have lost their CCPA payday.

With SB 561 gone, the next big amendment to the CCPA to look out for is SB 753 which seeks to give the Adtech industry an exemption from the Do Not Sell rules. I’ll let you know when there’s an update on this in the coming weeks.

Carl Gottlieb

Carl Gottlieb is the privacy lead and Data Protection Officer for a select group of leading tech companies. Carl’s consultancy company Cognition provides a range of privacy and security services including virtual DPO and virtual CISO.