California May Further Toughen Data Privacy Law, Opening Firms to Suits
The strongest data privacy law in the country may be about to get sharper teeth, and lobbyists representing the tech industry think it’s a disastrous idea.
Companies that amass user data could be the target of mass class-action litigation from California consumers if they’re accused of violating the California Consumer Privacy Act, under a proposed amendment to the law filed Feb. 22.
The measure would allow consumers to sue such companies, including Facebook Inc. and Google Inc., for monetary damages should they be accused of breaking the law. If approved, the measure would dramatically raise the stakes of adhering to the statute and shape the conversation around federal regulations being considered by Congress.
In its unaltered form, the statute would give violators a 30-day window to “cure” any alleged malfeasance before facing consequences mostly limited to regulatory penalties.
This proposal eliminates that “get out of jail free card” if plaintiffs are suing for monetary damages, as described by the bill’s sponsor, Senator Hannah-Beth Jackson, a Democrat from Santa Barbara.”The tech industry, by its very nature, has been very much opposed to any form of regulation,” she said in an interview about the CCPA. “It’s an industry that’s reincarnated the Wild West; no rules, no limits, no regulation. We’ve reached the tipping point.”
Former Governor Jerry Brown signed the CCPA into law in 2018, with an effective data of July 2020. That leaves 2019 for parties to tighten or loosen the screws on an internet privacy law likened to Europe’s General Data Protection Regulation.
The bill is one of a handful of proposed amendments to the CCPA filed ahead of the state’s Feb. 22 deadline that lay the foundation for intense negotiations between industry lobbyists and privacy advocates. Other proposals include:
- requiring data brokers to register with the attorney general’s office
- requiring companies to inform users if their data may be sold to third-parties
- requiring companies to disclose the monetary value of users’ data
- allowing consumers and business to continue engaging in loyalty programs that otherwise may have been viewed as discriminatory under the CCPA
Industry advocates see the right to sue amendment as an unnecessary complication to an already intricate law that survived detailed negotiations on enforcement mechanisms before it was passed last year. It already includes a narrow right for consumers to sue over data breaches.Proposing a broader “right to private action,” as the broader measure to sue is described, could threaten to destabilize established business models in tech, insurance, retail and advertising, according to the bill’s opponents.
“A private right of action on a law that is not yet cooked would be a disaster,” said Sarah Boot, a lobbyist for the California Chamber of Commerce. “It would be a class-action bonanza,” she testified at a hearing on Feb. 20 about the CCPA.
That may be an overstatement. The lack of a state right to sue didn’t stop consumers from suing Facebook over the Cambridge Analytica scandal, in which the personal information of millions of Americans was transferred to the political consulting firm hired by President Donald Trump’s 2016 campaign. The admission by Facebook led to federal investigations and class-action claims by shareholders and consumers who alleged negligence and violations of California’s unfair competition laws.
The public backlash against Facebook over the ways in which its platform was used to influence the 2016 presidential election was a catalyst for data privacy advocates and lawmakers including Jackson. They argue that penalties should be harsher when a company collects then improperly discloses the data of 50 million people.
The amendment will be reviewed in legislative committees, where parties will testify about its viability before it may proceed for a vote. The proposal is also likely to be the subject of intense negotiations on the final rules of CCPA before the end of the year.
The law is already being used by other states as a model for data privacy regulation, and could serve as a standard for any legislation to be considered by lawmakers.
Both sides of the debate in California are aware of what’s at stake in Sacramento, since whatever happens here will almost undoubtedly shape the direction of the debate in Washington, according to Nicole Ozer, Technology and Civil Liberties Director for the American Civil Liberties Union of California.