California Attorney General Xavier Becerra. Credit: Diego M. Radzinschi / ALM

Newly introduced state legislation would give Attorney General Xavier Becerra the changes he's been seeking in the California Consumer Privacy Act, including the right for consumers to sue businesses that violate the sweeping new data-protection law.

Senate Bill 561 by Sen. Hannah-Beth Jackson, D-Santa Barbara, would expand the law's private right of action beyond data breaches to cover other corporate missteps, such as ignoring consumers' requests to delete their personal information. The law, as written now, only allows the attorney general's office to pursue most violations.

“I don't think the Legislature wants only the attorney general's office to be able to protect people's rights,” Becerra said Monday at a press conference with Jackson in Sacramento. “We need to have some help. And that's why giving [consumers] their own private right to defend themselves in court if the Department of Justice decides it's not acting—for whatever number of good reasons—that's important to be able to truly say … you have rights.”

The proposed changes are expected to open a new front in the battle between consumer and privacy groups supporting the law and technology and telecommunications trade groups seeking to restrict the regulations' reach.

The proposed changes would cover most of the items in a wish list Becerra submitted to lawmakers in August, when he called the law “unworkable” without amendments and additional funding. Becerra and Jackson acknowledged Monday that the new legislation could open the door to class actions over alleged privacy violations.

The legislation would strip language requiring the attorney general's staff to provide compliance guidance to companies. And the bill would eliminate a 30-day grace period for targeted companies to fix any violations before facing sanctions.

“In other words 'Catch me if you can and, if you do, I'll comply with the law,'” said Jackson, who chairs the Senate Judiciary Committee and is expected to block any attempts to weaken the law's provisions. “Once the horses have left the stable you can't get them back. And it is indeed a get-out-of-jail-free card for these bad actors.”

The California Chamber of Commerce assailed Jackson's new bill, saying the goal “appears to be lawsuits and attorney's fees.” The Chamber's statement added: “Punishment may be an incentive to increase compliance, but—especially where a law is new and vague—eliminating a right to cure does not promote compliance. SB 561 … will not only hurt and possibly bankrupt small businesses in the state, it will kill jobs and innovation.”

More than a dozen bills that could serve as vehicles for amending the California Consumer Privacy Act, or CCPA, were introduced by the Feb. 22 legislative deadline. Some seek to broaden the bill's reach, including one that would cover breaches of biometric and passport information. Others have no language yet but are expected to carry changes sought by business interests.

The Privacy Act was adopted last year by bipartisan legislative votes as an alternative to what would have been a lengthy and expensive November ballot initiative fight. Kevin McKinley, California government affairs director for the Internet Association, said in an email that the new bill's private right of action “would unwind a key piece of the deal that was struck last year to pass CCPA and to make the law workable for companies both big and small.”

“We strongly oppose the proposed changes to the enforcement mechanism,” McKinley said.

Becerra's office has launched a rule-making process that will help shape how the law is enforced. The next and last public forum on the rulemaking will be March 5 at Stanford Law School.

 

Read more:

Let Consumers Sue Under New Data Privacy Law, Becerra's Office Tells State

Business Groups Lobby for Changes to California Data Privacy Law

Alastair Mactaggart Predicts: Privacy Law Will Survive Tech Challenge

California Takes 'Giant Leap Forward' on Consumer Data-Privacy Rights