At the Intersection of Technology, Law, and Business
March 28, 2019 - Privacy + Data Security

California Seeks to Strengthen Tough Privacy Laws

The Madden Saga Continues: On Remand, Madden Survives Summary Judgment and District Court Certifies Class

If you thought California’s privacy laws couldn’t get any tougher, think again. The California Legislature has proposed amendments to the California Consumer Privacy Act and additional privacy bills that could expand businesses’ privacy and data security obligations and heighten liability for noncompliance.  These proposals confirm that the dust is far from settled in California with respect to the CCPA specifically and privacy regulation generally.

Proposed CCPA Amendments.  On February 25, 2019, Senator Hannah-Beth Jackson announced proposed amendments to the CCPA (SB 561), backed by the California Attorney General, which would dramatically change enforcement of the Act by:

  • Expanding the private right of action to cover any violation of the Act.  The Act limits consumers to suing if their personal information is involved in certain data security incidents.  Cal. Civ. Code § 1798.150(a).  SB 561 would expand the private right of action to cover any violation of the Act, including violations related to compliance with the Act’s individual rights provisions.  This change increases businesses’ litigation risk and exposure arising out of the Act’s broad (and in many ways ambiguous) requirements.
  • Eliminating businesses’ ability to cure violations before AG enforcement can occur.  The Act currently requires the AG to notify businesses of alleged noncompliance and give businesses thirty days to cure alleged violations before bringing an enforcement action.  Cal. Civ. Code § 1798.155(b).  SB 561 would eliminate this “right to cure,” allowing the AG to sue without notice.
  • Removing the AG’s obligation to provide compliance guidance to businesses.  The amendments would remove businesses’ ability to seek the AG’s guidance on how to comply with the Act, Cal. Civ. Code § 1798.155(a), instead providing that the AG may publish general compliance guidance.

In backing SB 561, the AG has renewed requests for changes the Legislature declined to adopt in August 2018, when it approved other amendments to the Act (SB 1121).  Whether the AG’s proposed amendments will gain traction in the Legislature this session remains to be seen.  The Legislature must also consider SB 561 in connection with other proposed CCPA amendments that would expand exemptions under the Act,[1] clarify required mechanisms to submit consumer requests,[2] and make nonsubstantive changes.[3]  And, it is likely that there will be additional amendments on the table as well.

Additional Privacy Bills.  California Assembly Members have recently introduced other privacy bills that would expand the State’s existing privacy laws, including:

  • AB 288 – Social Media Privacy. This bill would require social media companies to give users the option to have their personally identifiable information permanently removed from company records and excluded from sale when users close their accounts.  AB 288 includes a private right of action permitting consumers to sue for violations.
  • AB 950 – Consumer Privacy Protection. This bill would require businesses that collect California residents’ consumer data to disclose the average monetary value to the business of consumers’ data and any use of such data that is not directly related to providing services to consumers.  The bill would also require businesses that sell California residents’ consumer data to disclose the average price the business receives for consumers’ data and the actual price it received for a consumer’s data in response to a verified request by the consumer.
  • AB 1035 – Personal Information: data breaches.  This bill would require businesses to disclose data breaches involving personal information within 72 hours of discovering the breach.
  • AB 1202 – Privacy: data brokers.  This bill would require data brokers to register with, and provide certain information to, the AG and would require the AG to publicize that information on the AG’s website.  The AG could sue data brokers for noncompliance.
  • AB 1281 – Privacy: facial recognition technology: disclosure.  This bill would require a business in California that use facial recognition technology to disclose that usage in a clear and conspicuous physical sign posted at the entrance of locations where such technology is used.  Violations would constitute “unfair competition” under California’s Unfair Competition Law.
  • AB 1395 – Smart Speaker Privacy Act. This bill would prohibit “smart speaker devices,” and manufacturers of such devices, from saving or storing voice data collected by the devices.

This legislative activity suggests that privacy regulation is a priority for the Legislature and remains top of mind for consumer advocates.  It will be important for businesses to be mindful of the full privacy landscape as they plan for and focus on CCPA compliance this year.

[1] See AB 1146 (exempts vehicle information shared between a new motor vehicle dealer and specified parties in relation to certain vehicle repairs); AB 1355 (excludes deidentified or aggregate consumer information from the definition of personal information under the Act); and AB 1416 (confirms the Act does not restrict businesses’ ability to comply with the law, exercise or defend legal claims, protect against fraud, security incidents, or other illegal activity, or investigate, report, or prosecute those responsible for such activity).

[2] See AB 1564 (requires businesses to provide consumers with a toll-free number or email address to submit requests and, if the business maintains a website, a website to submit requests).

[3] See AB 1760 (nonsubstantive changes to deletion right); AB 1758 (nonsubstantive changes to provision confirming Act does not require businesses to retain personal information for a single, one‑time transaction if the business does not sell or retain the information); SB 752 (nonsubstantive changes to financial incentive provision); and SB 753 (nonsubstantive changes to requirement to provide opt-out link on internet homepage).