California's toughest-in-U.S. data privacy law may get even stricter
(Bloomberg) --California lawmakers are seeking a series of expansions on their strictest-in-the-nation privacy law, a terrifying prospect for tech industry lobbyists as Congress begins work on a bill that could collide with state efforts.
Companies that amass user data could be the target of class-action litigation from state consumers if they’re accused of violating the California Consumer Privacy Act, under a proposed amendment to the law filed Feb. 22. Among other proposals are a requirement for data brokers to register with the state and for companies to disclose the value of users’ data -- measures that could target the still-unregulated underpinnings of the digital economy.
Users could sue companies including Facebook Inc., Alphabet Inc.’s Google and Walmart Inc., for monetary damages should they be accused of breaking the law. If approved, the measure would dramatically raise the stakes of adhering to the statute and shape the conversation around federal regulations being considered by Congress, which is beginning the formal process of writing a privacy law.
As it’s currently written, the California statute gives violators a 30-day window to “cure” any alleged malfeasance before facing consequences mostly limited to regulatory penalties. The law goes into effect in 2020.
The proposal eliminates that “get out of jail free card” if plaintiffs are suing for monetary damages, according to the bill’s sponsor, Senator Hannah-Beth Jackson, a Democrat from Santa Barbara.
“The tech industry, by its very nature, has been very much opposed to any form of regulation,” she said in an interview about the CCPA. “It’s an industry that’s reincarnated the Wild West; no rules, no limits, no regulation. We’ve reached the tipping point.”
Former Governor Jerry Brown signed the CCPA into law in 2018. An earlier version of the law gave consumers broad rights to sue, but tech, retail, pharma and insurers united in their opposition. The paring back of that provision by lawmakers was a key concession to business, which has continued to urge other changes to the law.
Jackson’s bill is one of a handful of proposed amendments to the CCPA filed ahead of the state’s Feb. 22 deadline that lay the foundation for intense negotiations between industry lobbyists and privacy advocates. Other proposals include:
- Requiring data brokers to register with the attorney general’s office
- Requiring companies to inform users if their data may be sold to third parties
- Requiring companies to disclose the monetary value of users’ data
- Allowing consumers and business to continue engaging in loyalty programs that otherwise may have been viewed as discriminatory under the CCPA
Right to Private Action
Industry advocates see the right to sue amendment as an unnecessary complication to an already intricate law that survived detailed negotiations on enforcement mechanisms before it was passed last year. It already includes a narrow right for consumers to sue over data breaches.
Proposing a broader “right to private action,” as the broader measure to sue is described, could threaten to destabilize established business models in tech, insurance, retail and advertising, according to the bill’s opponents.
“A private right of action on a law that is not yet cooked would be a disaster,” said Sarah Boot, a lobbyist for the California Chamber of Commerce. “It would be a class-action bonanza,” she testified at a hearing on Feb. 20 about the CCPA.
That may be an overstatement. The lack of a state right to sue didn’t stop consumers from suing Facebook over the Cambridge Analytica scandal, in which the personal information of millions of Americans was transferred to the political consulting firm hired by President Donald Trump’s 2016 campaign. The admission by Facebook led to federal investigations and class-action claims by shareholders and consumers who alleged negligence and violations of California’s unfair competition laws.
The public backlash against Facebook over the ways in which its platform was used to influence the 2016 presidential election was a catalyst for data privacy advocates and lawmakers including Jackson. They argue that penalties should be harsher when a company collects then improperly discloses the data of 50 million people.
The amendment will be reviewed in legislative committees, where parties will testify about its viability before it may proceed for a vote. The proposal is also likely to be the subject of intense negotiations on the final rules of CCPA before the end of the year.
The law is already being used by other states as a model for data privacy regulation, and could serve as a standard for any legislation to be considered by lawmakers.
Whatever happens in Sacramento, California’s state capital, will almost undoubtedly shape the direction of the debate in Washington, according to Nicole Ozer, technology and civil liberties director for the American Civil Liberties Union of California.
On Tuesday and Wednesday, Congress is scheduled to hold committee hearings on privacy laws, one each in the House and Senate. Despite a variety of proposals that have already emerged, industry and consumer groups are primarily focused on the work of a bipartisan foursome on the Senate Commerce Committee. That panel, which will host the Wednesday hearing, would likely oversee any legislative push on the issue.
Republicans traditionally oppose giving consumers broad rights to sue, so the idea would likely face hurdles there. Democrats, who control the House, are poised to push their own agenda, informed in part by what has become standard in California.
California Republicans, ironically, are lobbying their counterparts in Congress to avoid passing legislation that would preempt the California law with a watered down data privacy act for the entire country.
“California has made huge strides on behalf of consumers in the new war for individual privacy,” according to a letter submitted ahead of this week’s congressional committee hearings. “We encourage you to allow California and other states to continue to adopt pro-privacy policies that protect consumers and hold bad actors accountable.”