Skip to main content

SB 561 Aims to Make CCPA More Consumer-Friendly by Expanding a Private Right of Action and Removing the Right to Cure

Last week, California State Senator Jackson and state Attorney General Becerra introduced a new bill, Senate Bill 561.  If passed, it will greatly expand the consumers’ right to bring private lawsuits for violations of the California Consumer Privacy Act (“CCPA”).  SB 561 will: (1) provide for a private right of action for all CCPA violations—not just those stemming from a data breach; (2) eliminate the 30-day safe-harbor provision that currently allows companies to cure the violation and thereby avoid a private right of action; and (3) prevent companies from seeking specific opinions from the Attorney General and instead allow the AG’s office to provide “general guidance” via publications.

Currently, the CCPA enables only the AG’s office to sue in most circumstances.  California consumers who wish to file a private action face industry-backed hurdles.  Specifically, the current version of the CCPA only allows consumers to sue over data breaches resulting from a business’s failure to implement reasonable security measures.  It further provides a safe harbor for companies by requiring the consumer to notify the business of the alleged violation before a private lawsuit can be filed and then giving the company 30 days to cure the alleged violation.  

If passed, SB 561 bill will make the CCPA a lot less friendly to the industry and “would expand a consumer’s rights to bring a civil action for damages to apply to other violations under the act.” Another key proposed change is to delete the current requirement of the “30-day period in which to cure after receiving notice of an alleged violation.” 

Notably, the CCPA in its present version does provide California residents with the right (1) to learn what information the companies collect about them, (2) to request the deletion of that information, and (3) to prevent the sale of it to others.  Consumers cannot sue for these violations, however.  CCPA also requires businesses to take reasonable data-security measures and allows consumers to sue only if they reported the violations to the business, and the business then failed to cure it within 30 days.  SB 561 seeks to change that by greatly expanding consumers’ rights: to allow them to sue companies not only when they failed to cure security-related violations but also when they do not provide consumers’ with the information they collected, or fail to honor requests to refrain from selling consumer data, or violate other provisions of the CCPA. 

The bill further seeks to “specify that the Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the act.”  Arguably, this would no longer allow businesses to ask the Attorney General’s for specific opinions on how they can comply with the CCPA.  Rather, in his discretion, the Attorney General “may” publish “general guidance.”  It is unclear how much utility this amendment will provide to businesses, as Attorney General Becerra has already clarified that his office’s goal is to protect consumers—not to “give out free legal advice” to companies.

The CCPA has already been revised once before.  Specifically, SB 1121, which was signed into law in late 2018, made “various technical and clarifying changes” to correct drafting errors, ambiguities, and some inconsistencies.  Still additional revisions are expected in 2019, and companies should closely monitor further developments.  An informational California Senate hearing on the CCPA will take place on March 5, 2019 at 1:30 p.m.

To learn more about CCPA and view the first installment in the Mintz Privacy Team’s CCPA Preparation Series, please click here.  Our next webinar, “Is the CCPA Really GDPR-Lite?” will be broadcast on March 27th and you can register here.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.