Bill would make it easier for consumers to sue if data mishandled

SACRAMENTO — Calling a consumer privacy law passed last year “just the beginning,” Attorney General Xavier Becerra and state Sen. Hannah-Beth Jackson, D-Santa Barbara, introduced a new bill on Monday to give the rules more teeth.

SB 561 would make it easier for consumers to sue companies when their data is mishandled and remove a 30-day right to remedy contained within the California Consumer Privacy Act (CCPA).

Jackson noted the earlier law, AB 375, was passed in a rush at the end of the legislative session. A “sword of Damocles” hung over the negotiations in the form of a threatened ballot initiative, she said, leaving the final bill a work in progress.

“A right without a remedy is no right at all,” Jackson said at a news conference at Becerra’s Sacramento office. “This is basically a bill to enforce the law.”

AB 375 is scheduled to go into effect on Jan. 1. It contains a limited private right to action for breaches of unencrypted data.

Becerra noted his office has scheduled six public comment sessions on proposed regulations around the new law with the last one set for March 5 at Stanford Law School. One thing that became clear is the potential enforcement responsibility was too much for his office to handle though it likely would act when a potential class of litigants emerged.

The new bill would remove the Department of Justice’s responsibility to directly advise companies on compliance. Instead, SB 561 would call on Becerra’s office to issue and update general guidelines and best practices.

“We do not give free legal advice, which is what this would amount to,” Becerra said, citing the likely burden on his office and taxpayers.

The 30-day remedy period did not take into account that many violations of the law cannot be remedied, he said.

“It’s a get out of jail free pass,” Becerra said. “There is no way to cure the disclosure of personal data once it’s out there.”

The Assembly Privacy and Consumer Protection Committee held a three-hour hearing on AB 375 implementation last week.

“I was aware when I pulled the initiative that opened us up to change, both bad and good,” said the hearing’s first speaker, Alastair Mactaggart.

Mactaggart is the chairman of Californians for Consumer Privacy and the leader of the aborted initiative attempt. He said he got the three main things he wanted from the bill: a right for consumers to know what data is being gathered about them, a right to say no to certain uses of that data, and a right to expect companies to protect personal data.

Sarah R. Boot, a policy advocate for the California Chamber of Commerce, testified AB 375 was already expensive and complex for businesses. Advocates underestimated the burden it would have on companies besides the technology giants it is ostensibly aimed at, she said.

“What is the goal of the CCPA?” Boot asked. “Is it for lawsuits and attorney’s fees? The goal should be compliance.”