California May Broaden Far-Reaching Data Privacy Law

California consumers would have more power to sue corporations for misusing their data under a proposal by the attorney general Monday to expand what already is the nation's most far-reaching law protecting personal information.

Source: AP | Published on February 27, 2019

Cyberattacks pose risk to creditworthiness

The revision to the law passed last year is among several sought by Attorney General Xavier Becerra and Santa Barbara Democratic state Sen. Hannah-Beth Jackson to make it easier to enforce once it takes effect on Jan. 1, 2020.

"This is basically a bill to enforce the law," Jackson said.

Consumers are able to sue companies that collect their data if their information is stolen or disclosed in a data breach, but only if the company was found to be careless or negligent. That allows suits if the data was not encrypted or the company didn't take other reasonable security measures.

The new legislation would expand a consumer's right to sue for damages to include other violations under the law, even if they don't result in a data breach.

California's European Union-style privacy law will require companies to tell consumers upon request what personal data they've collected, why it was collected and what categories of third parties have received it. It will bar companies from selling data from children younger than 16 without consent. Customers will also be able to ask companies to delete their information and refrain from selling it, so violations could be subject to individuals' and class action lawsuits.

The Internet Association's California government affairs director, Kevin McKinley, said it opposes the change, "as it would unwind a key piece of the deal that was struck last year to pass (the law) and to make the law workable for companies both big and small."

The California Chamber of Commerce said the goal of the legislation "appears to be lawsuits and attorney's fees" with "significant new avenues of litigation that will primarily benefit trial attorneys." The chamber predicted the measure would harm small businesses and "kill jobs and innovation."

Californians for Consumer Privacy chairman Alastair Mactaggart and Common Sense CEO James Steyer, who both supported the privacy law, praised changes they said would strengthen the measure.

The proposed legislation also removes requirements that the attorney general provide companies legal advice about the law and give them 30 days to fix a problem before he can sue. Becerra said unless the pending law is revised, he will be required to provide unlimited legal opinions to the very companies that are breaking the law.

The law responds to several huge breaches in recent years including those at Target and Equifax. Facebook also has faced criticism after it was revealed that Republican-linked consulting firm Cambridge Analytica collected data from millions of Facebook users without their knowledge.

Monday's announcement is among several attempts to build on the state's privacy law.

Gov. Gavin Newsom earlier this month said consumers should get a "data dividend" from the billions of dollars that technology companies make by capitalizing on personal data they collect, for instance by selling the data to outside businesses that target ads to users.

Another pending bill would require companies to disclose how much consumers' data is worth to them.