As the Effective Date of the CCPA Approaches, Expect More Changes

By Styskal, Wiese & Melchione

March 6, 2019

As financial institutions prepare to comply with the provisions of the California Consumer Privacy Act (CCPA) which takes effect on January 1, 2020, they should also be prepared for amendments that are sure to take place which may require further planning and preparation.  A recent bill introduced by California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson seeks to strengthen and clarify certain provisions of the CCPA.

Currently, a consumer may bring a private civil action for damages if the consumer’s nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to a business’s failure to maintain reasonable security procedures.  Moreover, the existing provisions of the CCPA allow a business to cure an alleged violation within thirty (30) days after notice and to seek an opinion of the Attorney General for guidance on how to comply with the CCPA.  Senate Bill 561 intends to: (i) expand a consumer’s right to bring a private cause of action for any violation of their rights under the CCPA, (ii) eliminate the 30-day cure period available to a business after receiving notification of an alleged violation, and (iii) eliminate the ability for a business or third party to seek the opinion of the Attorney General for guidance on how to comply with the CCPA and instead would indicate that the Attorney General may publish materials providing guidance.  If enacted, this Bill would essentially make compliance more difficult and costly for financial institutions.

Keeping in mind that further amendments to the CCPA are likely to take place prior to the effective date and that final interpretive regulations will soon be provided, financial institutions should ensure they have the capability to quickly implement the appropriate operational requirements to ensure compliance on the effective date.