Key Point: SB 561, which would have expanded the CCPA’s private right of action, has failed.

According to multiple reports, SB 561 failed to pass the California Senate on Thursday. The failure of SB 561 is a significant victory for businesses as the bill would have expanded the California Consumer Privacy Act’s (“CCPA”) private right of action to allow individual consumers to sue businesses for violations of the CCPA’s privacy-related rights. The current version of the CCPA only allows individual consumers to sue for certain types of data breaches and leaves enforcement of the CCPA’s privacy-related rights to the California Attorney General’s office. SB 561 was backed by the California Attorney General’s office and privacy-rights organizations. It was strongly opposed by business interests. You can read more about SB 561’s failure here and here. 

Over the next few months, Husch Blackwell’s privacy and data security blog will continue to provide updates on the CCPA. Register here to stay up-to-date on all of the latest news. Husch also will be hosting a webinar on June 5 to provide an update on the CCPA’s amendment process. Click here for more information and to register.

While SB 561’s failure is certainly a welcome outcome for businesses subject to the CCPA, it does not mean that businesses can slow down on their compliance efforts. The CCPA still allows the Attorney General’s office to seek $2,500 per “violation” and $7,500 per each intentional violation. If those amounts are applied on a per consumer or per day basis, the potential damages could be substantial. Additionally, the CCPA allows consumers to seek statutory damages of between $100 and $750 “per consumer per incident” for data breaches due to a business’s failure to implement and maintain reasonable security procedures and practices.

However, businesses can breath a little easier knowing that the CCPA will not unleash endless class actions.