California Attorney General Looks to Expand New Data Privacy Law
February 25, 2019 – The state attorney general is aiming to give more teeth to a new data privacy law before it takes effect next year by expanding his and Californians’ right to sue companies for damages.
Under SB561, unveiled Monday by Attorney General Xavier Becerra and state Sen. Hannah-Beth Jackson (D-Santa Barbara), consumers would be able to take a business to court for sharing or selling their personal information without permission. The attorney general’s office also would be allowed to take action against a company without first giving it a chance to correct violations of the data privacy law.
Becerra said the proposed changes were based on concerns he raised last year as the original bill was being drafted that it was not enforceable.
“We’re giving Californians control of their data,” he said at a news conference. “I can’t be out there to represent 40 million people on their one particular concern based on a violation by one particular company. But that’s important for that one individual.”
Lawmakers passed legislation last summer to give customers more power over the personal data that businesses collect about them and more opportunity to seek compensation when those data are breached.
But they also immediately began talking about amending the law, which was hastily passed before a deadline for proponents of a more far-reaching voter initiative to pull their measure from the ballot. Legislators have introduced more than a dozen bills this session to further the goals of the law or provide exemptions to certain industries. It does not take effect until January 2020, and the state Justice Department is still writing regulations.
The data privacy law requires that businesses disclose to customers what personal data they are collecting and, upon request, to stop selling the information to third parties or even delete it altogether. If a company fails to follow reasonable security measures and personal data are breached, consumers can sue for up to $750 per person per breach.
Lawsuits are limited, however, by a provision requiring that people give a company written notice to fix the problem before seeking damages. If the company does so within 30 days, a suit cannot proceed.
SB561 would eliminate that provision for the attorney general. Becerra said giving companies a chance to address violations of the law before they can be held accountable is a “get-out-of-jail-free pass.”
Consumers also would be able to sue for more than just a data breach under SB561. Justice Department officials said customers could sue if, for example, a company didn’t provide a link on its website where customers could opt out of having their data sold.
The measure would eliminate another requirement that the attorney general provide an opinion to businesses that seek guidance about how to comply with the data privacy law. Becerra said his office does “not give out free legal advice.” Instead, it would be allowed to publish general guidelines.
SB561 strikes at the very core of opposition to the data privacy law, which internet, technology, retail and other business groups lobbied against last year. The California Chamber of Commerce said the goal “appears to be lawsuits and attorney’s fees.”
The Internet Association, an organization of tech giants including Google, Facebook and Amazon, said in a statement that it was “strongly” opposed to the new bill. Kevin McKinley, the group’s director of California government affairs, said “it would unwind a key piece of the deal that was struck last year … to make the law workable for companies both big and small.”
Jackson defended her bill as a way to deter bad behavior rather than to punish it: “If you don’t violate the law, you don’t get sued,” she said.
By Alexie Koseff, San Francisco Chronicle
Read More Here