Sacramento State Capitol building on Capitol Way. Photo: Jason Doiy/ Recorder

Attorney General Xavier Becerra's office Wednesday pressed lawmakers to add a broad private right of action to the new California Consumer Privacy Act, arguing that his office doesn't have the resources to enforce the data-protection law by itself.

Speaking to a legislative panel examining the law, Stacey Schesser, supervising deputy attorney general for Becerra's privacy unit, renewed criticisms that Becerra leveled against the California Consumer Privacy Act, or CCPA, after its passage last August.

One of his complaints is that consumers will have only a limited right to sue if they are victims of a data breach. Other violations, such as a company improperly selling a customer's data, can only be pursued by the attorney general. The law takes effect in January.

“Private rights of action provide a critical adjunct to government enforcement and they ensure that consumers can assert their rights and seek appropriate remedies,” Schesser told members of the Assembly privacy committee. “The attorney general urges you to expand the CCPA private right of action to include violations of the key rights provided by this act.”

The law, enacted as an alternative to a proposed ballot initiative brought by San Francisco real estate developer Alastair Mactaggart, gives Californians the right to see what personal information companies collect about them and to opt out of the sale of that data. California's law has been the model for at least six privacy bills introduced in other states.

Schesser also asked lawmakers to strike language requiring the California attorney general's office to offer opinions to companies with compliance questions and to give businesses a chance to cure certain violations before filing a case.

“This would essentially be a get out of jail free law,” Schesser said. “The CCPA's right to cure would allow even the worst offenders to receive a pass rather than allowing the attorney general to use his prosecutorial discretion in enforcing the law.”

Sarah Boot, a lobbyist for the California Chamber of Commerce, testified that educating businesses about compliance instead of prosecuting them would be “money well spent.” And she said Becerra's request to add a private right of action “to this incredibly confusing and detailed, complex law is frightening.”

“It would be a class action bonanza,” Boot said.

The dueling critiques foreshadow the legislative battles coming over the next seven months as the law's backers and detractors fight for amendments. The audience at Wednesday's hearing was filled with representatives of consumer groups, telecommunications companies, tech lobbies, retailers and advertisers, all eager to either protect the law's current provisions, beef them up or significantly restrict their reach.

Two lawmakers who carried the Consumer Privacy Act have introduced a so-called placeholder bill that could carryl changes to the law. Another bill unveiled last week would set data-sharing rules specifically for telephone companies. And on Wednesday, Internet Association lobbyist Kevin McKinley said legislation is coming to limit what constitutes the sale of personal information under the law.

Tanya Forsheit, who chairs Frankfurt Kurnit Klein & Selz' privacy and data security group, testified that companies have spent millions of dollars trying to comply with the European Union's General Data Protection Regulation, or GDPR, laws.

“Many if not most U.S. companies are still not in compliance with the GDPR because it's such a significant undertaking,” Forsheit said. “The CCPA is even more complex and challenging … Experience with the GDPR has already demonstrated that we are going to need some changes to the CCPA and to the timeline for compliance to be realistic.”

Read more:

Business Groups Lobby for Changes to California Data Privacy Law

Alastair Mactaggart Predicts: Privacy Law Will Survive Tech Challenge

Look Out for the 'Look Back'—Begin CCPA Prep Now