The California Consumer Protection Act: Groundbreaking, but will it be enforced?

By Loyola Law School Lecturer and Reference Librarian Tobe Liebert

Privacy of consumer information is a topic that has received a huge amount of attention in recent years, fueled by the growing public sense that Internet and technology companies are not acting as good guardians of customer information.  With the recent passage of the California Consumer Privacy Act (the CCPA) California thrust itself into the forefront of the debate over what laws are needed to provide adequate privacy and security for personal information.  The CCPA, which will become effective on January 1, 2020, goes far towards creating privacy safeguards in line with the expansive protections found in the European Union’s General Data Protection Regulation (the GDPR).  But the act remains a work in progress, and there are some serious questions about how vigorously it can be enforced.

One of the most contentious issues discussed during the enactment of the CCPA was whether a “private cause of action” should be included in the act.  A private cause of action refers to the issue of whether a private citizen may bring a civil action to claim damages for violations of the act.  If not, then actions to remedy violations can only be brought by the state, acting through the Attorney General’s office.  Proponents of the inclusion of a private cause of action argued that compliance with the provisions of the CCPA would be much more likely if companies were faced with the possibility of civil actions brought by trial lawyers for violations of the law.  Opponents of a private cause of action believed that it would lead to a flood of lawsuits, imposing a huge and expensive burden on businesses in California.

As passed, the CCPA provided only a limited private cause of action.  Such action is permitted only when a security breach occurred and a consumer’s data was hacked or stolen.  Even this limited private cause of action has an exception, however, a requirement that companies first be given notice of a breach and 30 days to “cure” any violation if no actual damages can be proven (that is, in an action for “statutory damages”).

And this leads to perhaps the greatest obstacle to the CCPA’s becoming an effective tool for protecting California citizens:  the Attorney General’s lack of resources to enforce the law.  In hearings held this spring before the Senate and Assembly Committees, a deputy attorney general testified that the Attorney General’s office was woefully understaffed for this role.  In fact, her opinion was that the Attorney General’s office might have the resources to prosecute only a few cases a year.

Because of this funding issue, the Attorney General worked with Senator Hannah-Beth Jackson and introduced Senate Bill 561.  This bill proposed to amend the CCPA to allow a private cause of action for any consumer “whose rights under this title are violated.”  This change in language would permit California consumers to file suit over any violation of the CCPA.  The bill, however, failed to move out of the Senate Appropriations committee before the May deadline.  Thus, this ended any chance that the CCPA would be amended this session to allow for an expanded private cause of action.

It is notable that with the passage of the CCPA, other states have now introduced similar legislation.  In particular, the “New York Privacy Act,” Senate bill 5642, has many of the same protections of the CCPA and, very importantly, contains a private cause of action for any violations of the act.  Hearings on the bill were recently held and its proponents are hoping to bring it to a vote this summer.