SACRAMENTO — California consumers would have more power to sue corporations for misusing their data under a proposal announced Monday to expand what already is the nation’s most far-reaching law protecting personal information.

The revision to the law passed last year is among several sought by Attorney General Xavier Becerra and Santa Barbara Democratic state Sen. Hannah-Beth Jackson to make it easier to enforce once it takes effect on Jan. 1, 2020.

The new legislation would expand a consumer’s right to sue for damages to include other violations under the law, even if they don’t result in a data breach.

“This is basically a bill to enforce the law,” Jackson said.

Expands Consumers’ Right to Sue

Consumers are able to sue companies that collect their data if their information is stolen or disclosed in a data breach, but only if the company was found to be careless or negligent. That allows suits if the data was not encrypted or the company didn’t take other reasonable security measures.

The new legislation would expand a consumer’s right to sue for damages to include other violations under the law, even if they don’t result in a data breach.

California’s European Union-style privacy law will require companies to tell consumers upon request what personal data they’ve collected, why it was collected and what categories of third parties have received it. It will bar companies from selling data from children younger than 16 without consent. Customers will also be able to ask companies to delete their information and refrain from selling it, so violations could be subject to individuals’ and class action lawsuits.

Industry, Business Groups Oppose Changes

The Internet Association’s California government affairs director, Kevin McKinley, said it opposes the change, “as it would unwind a key piece of the deal that was struck last year to pass (the law) and to make the law workable for companies both big and small.”

The California Chamber of Commerce said the goal of the legislation “appears to be lawsuits and attorney’s fees” with “significant new avenues of litigation that will primarily benefit trial attorneys.” The chamber predicted the measure would harm small businesses and “kill jobs and innovation.”

Gov. Gavin Newsom earlier this month said consumers should get a “data dividend” from the billions of dollars that technology companies make by capitalizing on personal data they collect.

Californians for Consumer Privacy chairman Alastair Mactaggart and Common Sense CEO James Steyer, who both supported the privacy law, praised changes they said would strengthen the measure.

The proposed legislation also removes requirements that the attorney general provide companies legal advice about the law and give them 30 days to fix a problem before he can sue. Becerra said unless the pending law is revised, he will be required to provide unlimited legal opinions to the very companies that are breaking the law.

 

Newsom Calls for ‘Data Dividend’

The law responds to several huge breaches in recent years including those at Target and Equifax. Facebook also has faced criticism after it was revealed that Republican-linked consulting firm Cambridge Analytica collected data from millions of Facebook users without their knowledge.

Monday’s announcement is among several attempts to build on the state’s privacy law.

Gov. Gavin Newsom earlier this month said consumers should get a “data dividend” from the billions of dollars that technology companies make by capitalizing on personal data they collect, for instance by selling the data to outside businesses that target ads to users.

Another pending bill would require companies to disclose how much consumers’ data is worth to them.

One Response

  1. Pete Mumbas

    To be sure, the amended law needs to recognize that not all internet businesses are part of the Facebook ecosystem. Consequently for those smaller businesses without the reach of a Facebook, notice of infraction prior to suits makes sense for two reasons. The size of these business entities likely is related to the financial harm which can be done from mishandling privacy protected data since their reach into the internet commerce world is limited. Secondly the size of smaller business constrains their ability to conduct a review thorough or at all of the latest issued regulation.
    These comments do not reflect on how the AG should handle breaches by the obviously large and consequential firms on the internet.
    Thank you.

    Reply

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

We've got issues, and we're willing to share
(but only if you want them in your inbox).