Debate over consumers' right to sue under new California privacy law just beginning

2 July 2018 2:34pm

29 June 2018. By Amy Miller

The political wrangling over a new California privacy law that gives consumers sweeping new protections for their online data isn’t over yet.

The California Consumer Privacy Act of 2018 won’t go into effect until 2020, and that means tech companies and other business groups will be lobbying hard in the meantime to reshape the legislation more to their liking. And much of the debate is likely to center on the scope of provision in the law that gives consumers the right to sue companies for damages.

The privacy law, the first of its kind in the US, was fast-tracked through the legislature and signed by Governor Jerry Brown Thursday. It gives California consumers the right to find out what’s being collected about them, to stop companies from selling their personal data, and to opt out of sharing it at all. Businesses couldn’t sell the personal data of anyone younger than 16.

The law doesn’t just apply to Silicon Valley behemoths such as Facebook and Google, but to any California business that collects data on customers.

It headed off a much stricter ballot initiative that had been slated to come before California voters this November. The initiative, spearheaded by local real estate developer Alastair Mactaggart, would have been tougher on the tech industry.

Most concerning to tech companies were provisions in the ballot initiative giving consumers the right to sue companies for violations without having to prove they’d been harmed, and obtain substantial damages. But Mactaggart agreed to withdraw the initiative if state lawmakers passed a bill, and the governor signed it by Thursday, the deadline to finalize ballot measures.

One of the CCPA’s sponsors, Senator Bob Hertzberg, admitted during legislative hearings Thursday that negotiations over consumers’ right to sue had been the most contentious. But, he argued, they’d come to a “fair compromise.”

The CCPA considerably rolled back the ability of consumers to sue for damages, giving them the right to sue only after a data breach and only after companies had been given 30 days to fix any problems.

California’s attorney general is charged with monitoring Silicon Valley’s privacy practices and bringing cases when companies violate the statute. The state’s attorney general would soon become “the chief privacy officer of the United States,” Hertzberg said.  
Privacy advocates praised the new law as the most comprehensive in the US, saying it will be a model for other states and perhaps spur action from Congress.

But some, such as the American Civil Liberties Union, argued it didn’t go far enough in protecting consumers' privacy. “This measure was hastily drafted and needs to be fixed,” said Nicole Ozer, technology and civil liberties director for the ACLU of California.

It was also clear that the debate over damages under the law isn’t over yet, and that business groups still have concerns that the law could fuel a wave of abusive litigation against California tech companies.

Sarah Boot with the California Chamber of Commerce warned an Assembly Committee Thursday morning that companies will be inundated with lawsuits immediately after a data breach as a result of the law, and it won’t be just “bad actors.”

The authors of the law may also argue that consumers can only sue for damages after a data breach, but the language is vague, she said. Plaintiffs lawyers could successfully argue that the damages provision applies to more than just data breaches, she said. Boot “strongly urged” the legislature to fix that lack of clarity.

“I do believe the delayed implementation will help with that, and we are grateful for that,” Boot said.

Privacy and data security attorney Hanley Chew in Silicon Valley agreed the language in the law is unclear and could lead to an increase in class actions, and not just after a data breach. “I could see an argument being made that it applies to other violations besides data breaches,” he said.

The National Retail Federation in a statement called the legislation “deeply flawed,” arguing it “will expose businesses to unwarranted lawsuits while potentially taking away many of the innovations and special services consumers have come to expect.”

The tech industry's lobbyists will be making their concerns known, too, as changes to the law are debated.

Robert Callahan, vice president at the Internet Association, which represents companies such as Amazon, Facebook, Google and Uber, said “it is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”

CCPA Report