In late February 2019, a new amendment to the California Consumer Privacy Act (“CCPA,” “Act,” “title”) was proposed—SB-561. On its face this is a very significant amendment in that it changes the consumer’s private right of action from a very constrained set of circumstances to the violation of any “right under this title.” But a closer look at this proposed amendment reveals that the impact is far more profound in that it greatly expands the scope of the potential defendants by extending the private right of action to violations not just by “businesses” but also any other third parties.

The current Act is reflected in AB-375, as amended by SB-1121, an amendment that was adopted in September 2018. In SB-1121, the private right of action was limited to the situations where a consumer’s “nonecrypted or nonredacted personal information” was subject to unauthorized access or disclosure “as a result of the business’s violation of the duty to implement and maintain reasonable security measures. . . .” (Section 1798.150 (emphasis added).) In other words, it was only a business’s violation that could trigger the private right of action.

SB-561 not only removes the limitation of a private right of action to situations where the consumer’s personal information was accessed, but in doing so it implicitly expands the parties that can be alleged to have caused the violation. SB-561 expands the right of action to provide it to a “consumer whose rights under this title are violated” without qualification. Where previously we focused on companies that would qualify as “businesses” and their service providers as defined in the CCPA to determine who is impacted by the Act, we now have to reconsider that focus.

There is little question that entities that do not meet the definition of “business” can violate the rights of a consumer under the Act. The Act specifically contemplates the possibility of violations and liability of “service providers” (those with which the business provides consumer information pursuant to a written contract meeting certain criteria) in absolving a business for liability for those violations if it has no knowledge or reason to know about them. (See Section 1798.145(h).) As to others that are not service providers or businesses, a subsection to the definition of a “Third party,” states that “[a] person covered by this paragraph that violates any of the restrictions set forth in this title shall be liable for the violations.” (Section 1798.140(w).) Given the expansive definition of “person” contained in the Act, this suggests that any entity that violates any restrictions set forth in the Act is “liable for the violations” and could now be subject to suit with the consumer’s private right of action. Section 1798.155 relating to the Attorney General’s role in enforcing the law also confirms the ability for any entity to violate the Act as it expressly contemplates enforcement against “[a]ny business, service provider, or other person that violates this title. . . .”

By expanding the private right of action to any violation of the Act without qualification, SB-561 has opened up not just the breadth of the subject matter of suit, but also the scope of potential parties subject to the Act. If the SB-561 amendment is enacted, consider the impact to anyone that receives California resident personal information from an entity that is considered a “business” under the Act. If it can be alleged that the recipient violated any aspect of the Act, those recipients should expect that they may be subject to suit in California. In view of the expansive definition of personal information coupled with innumerable possible arguments as to how some provision of the title may have been violated, anyone receiving California resident personal information needs to take notice and consider such activities as “in scope” of the CCPA.

March 27, 2019/by Security