It is now clear that there will be no class-action exposure for privacy violations under the California Consumer Privacy Act when it takes effect in 2020. However, the range of data elements whose breach could give rise to class-action exposure under the CCPA appears likely to grow before the legislature adjourns in September.
Senate Bill 561, which had been endorsed by California Attorney General Xavier Becerra, was rejected in a California State Senate committee Thursday. This means as a practical matter the bill will miss the Senate cut-off deadline and will not move forward this year and that there will be no expansion of the private right of action to privacy violations. (The only other bill to contain this, Assembly Bill 1760, failed in the Assembly Privacy Committee last month.)
SB 561 would have not only created statutory damage class-action exposure for any violation of the CCPA’s operationally difficult privacy requirements, but it would also have eliminated the 30-day right to cure and the attorney general’s obligation to issue guidance in response to questions about the interpretation of the law. We had long thought that expansion of the private right of action was a long shot. The CCPA was the product of legislative compromise in the summer of 2018 in which class-action exposure was scaled to data breaches only in exchange for adding EU General Data Protection Regulation–like data subject rights to access, portability and deletion. Inserting class-action exposure for these intensely operational rights would have fundamentally altered that compromise and unleashed a flurry of class-action lawsuits after the CCPA takes effect.
Interestingly, the sponsor (“author,” in California parlance) of SB 561, Sen. Hannah Beth Jackson, D-Calif., continued to press for the private right of action, instead of opting to try to get the two other elements of the bill. We understand that a day before the Suspense Committee vote, she offered to narrow the class action to large businesses only but did not give up on the class-action idea. As a result, the entire bill will not move forward this year, although Jackson will likely try again next year, the last one before she is term-limited from running again.
However, this is not the end of the CCPA class-action story for this year.
A data breach and data security bill, AB 1130, also supported by the attorney general’s office, is moving. It contains an amendment to Civil Code § 1798.81.5 supported by the attorney general that expands the data sets that can give rise to data breach class-action lawsuits, as well as to California’s security breach notice law. The data covered by California Civil Code § 1798.81.5(d)(1)(A) is the touchstone for the consumer remedy under the CCPA, and AB 1130 expands this data set in two ways.
First, the data set now essentially covers many more government-issued ID numbers commonly used to establish identity. In addition to driver’s license and California ID card number, AB 1130 would now expand the CCPA to include tax identification number, passport number, military identification number or other government-issued identification numbers commonly used to establish identity.
Second, and perhaps more importantly, AB 1130 adds biometric data as a new category of covered information to the CCPA. Specifically, the current draft of AB 1130 includes "[u]nique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image used to authenticate a specific individual." Unique biometric data does not include a physical or digital photograph unless used or stored for facial-recognition purposes.
This would be an important expansion of the CCPA data breach private right of action because biometric data has been a frequent basis of class actions in other jurisdictions, and many companies are now utilizing biometric data for security screening. In fact, the net effect of adding this provision ironically may be to discourage the use of biometric data for security screening.
AB 1130 also seeks to amend California’s notice of security breach law in these same ways, so the data set that could give rise to notice to a California resident would similarly expand. However, it should be noted that not all notifiable data breaches in California give rise to class-action risk under the CCPA and that the data set that gives rise to breach notice under California law is a bit broader (by including online credentials) than the data set that gives rise to a private right of action under CCPA.
Photo by Joseph Barrientos on Unsplash