The California Attorney General (‘AG’), Xavier Becerra, announced, on 25 February 2019, that he had introduced, together with U.S. Senator, Hannah-Beth Jackson, Senate Bill 561, which seeks to strengthen and clarify the California Consumer Privacy Act of 2018 (‘CCPA’), to the California State Senate (‘the Bill’). In particular, the AG outlined that the Bill would provide consumers with a private right of action under the CCPA, and eliminate the ‘right to cure,’ which allows companies to cure violations within a 30-day period before enforcement occurs. The Bill would also remove the requirement that the AG provides businesses and private parties with individual legal counsel on CCPA compliance.
Francis Fryscak, Attorney at SecondSight Law, told DataGuidance, “Predicting the outcome of legislation, especially in California, is a dangerous sport; still, I would predict that the AG ultimately gets some of the things he would like to see modified in the CCPA, especially eliminating the AG’s obligation to provide […] legal counsel, and the ‘right to cure.’ The Bill’s broad expansion of a private right of action, on the other hand, which would extend the CCPA’s private right of action to every CCPA violation rather than only those involving data breaches, looks to me a much harder objective […] It is difficult to imagine that it will be a late-breaking addition to the CCPA in the face of significant business opposition and the risk of overreach and unintended economic consequences.”
For now, it’s the states’ efforts that should be centre of the legislative bullseye in the privacy sphere
The Bill also clarifies the AG’s advisory role in providing general guidance on the CCPA. It specifies that the AG may publish materials that provide businesses and others with general guidance on how to comply with the CCPA, which contrasts with the existing law, whereby a business or third party may seek the opinion of the AG regarding how to comply with the CCPA.
Fryscak concluded, “In California, the lion’s share of recent attention on privacy law efforts has rightly been on developments around the CCPA, but increasingly that’s not the whole game. Some recently introduced bills, especially Assembly Bill 1202, which provides for data broker registration, could find their provisions enacted and influencing other states’ legislation […] [Indeed], for now, it’s the states’ efforts that should be centre of the legislative bullseye in the privacy sphere. Federal legislative efforts to enact a comprehensive omnibus privacy act are not likely to overcome opposition without some meaningful degree of pre-emption of state obligations, and there has been a significant recent pushback on broad pre-emption. Allowing businesses some basic types of uniformity regarding their privacy obligations seems essential, and it’s hard to envisage sufficient business support without it.”
RUMER RAMSEY Privacy Analyst