Cal AG Offers Legislation Making CaCPA More Onerous
On Monday, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson today unveiled Senate Bill 561 to amend the California Consumer Privacy Act (CaCPA) passed last year in three critical respects as described in their joint press release:
(1) Removes the Attorney General’s requirement to provide 30-day notice before taking action, essentially a “get out of jail free card” for bad actors.
The 30-day notice requirement included in CaCPA was not a gift to businesses but a continuation of existing law. For example, the California Online Privacy Protection Act (CaOPPA) which was passed in 2003, requires websites collecting information about California consumers to post a privacy policy. A business in violation of CaOPPA only if the business “fails to post its policy within 30 days after being notified of noncompliance.” This is not a “get out of jail free card,” but a safe harbor for well-meaning businesses who may not be fully aware of their obligations.
(2) Removes an onerous requirement to provide legal opinions directly to any business or third party, which would unnecessarily divert public funds and resources from enforcement.
The Attorney General has objected to language in CaCPA that allows “[a]ny business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.” This is not unusual in complex regulatory schemes. For example, the Internal Revenue Service provides “Private Letter Rulings” to address questions as to whether certain measures would comply with existing law. The Private Letter Rulings are published and offer guidance and clarity to the tax bar as a whole.
Clearly, the legislature thought this might be necessary for such a new and comprehensive statutory regime as has been adopted in California. The Attorney General’s Office, however, has resisted this and apparently does not want to devote its resources to facilitating compliance.
(3) Allows Californians whose rights have been violated under the CCPA to seek justice.
The CaCPA allows for enforcement by the Attorney General and a private right of action for data breaches which cause the greatest consumer harm. Expanding a private right of action to any violation of CaCPA regardless of the extent of actual damage will create a privacy litigation frenzy.
Senator Jackson is the Chair of the Senate Judiciary Committee which, combined with the support of the Attorney General, makes this legislation very likely to advance. Businesses need to let themselves be heard on this legislation. Click here to find out who your representatives in the California Senate and Assembly and how to contact them.
BILL TEXT
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1.
Section 1798.150 of the Civil Code is amended to read:
1798.150.
(a) (1) Any consumer whose rights under this title are violated, or whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
SEC. 2.
Section 1798.155 of the Civil Code is amended to read:
1798.155.
(a) Any business or third party may seek the opinion of the The Attorney General for may publish materials that provide businesses and others with general guidance on how to comply with the provisions of this title.
Pingback: CLA Legislative Day: CaCPA Is a Top Issue for Sacramento Judiciary Committees | Cyber Report