California Looks to Broaden Customer Protection Law; Congress Takes Tentative Steps Towards Nationwide Privacy Baseline
Built into the CCPA was one year for legislators to make any necessary revisions before it comes into law in 2020. One of these revisions would make it even easier for customers to sue businesses under the law.
The California Consumer Privacy Protection Act (CCPA), passed last year in California with strong bipartisan agreement, was a watershed moment in US cyber regulation.
Following the example set by the European Union’s sweeping General Data Protection Regulation (GDPR), the CCPA promised strong protections for Californians and stringent breach reporting requirements for businesses—though it did not go as far in the GDPR in some areas, as seen in the chart below (click here for a PDF with definitions of rights).
Built into the law was one year for legislators to make any necessary revisions before it comes into law in 2020. One of these revisions, pushed by California Attorney General Xavier Becerra and Santa Barbara Democratic state Sen. Hannah-Beth Jackson, would make it even easier for customers to sue businesses under the law. Right now, customers can sue companies, including brokerages, that collect their data if their information is stolen or disclosed in a data breach only if the company was shown to be negligent.
Should the revision pass, customers would be able to sue for damages under other violations of the law (such as not deleting a customer’s data upon their request), even if those violations don’t result in a data breach, potentially burdening smaller businesses with excessive litigation.
Another pending bill to revise the law would remove the attorney general’s obligation to provide companies legal advice about the CCPA, and a second would remove the 30-day grace period before the attorney general could sue, meant to give a company a chance to correct an issue before it is hit with litigation.
The nonpartisan agreement on a need for more robust data privacy extends even to Washington, where both Democrats and Republicans have expressed a desire for a nationwide baseline for data privacy. Where the parties diverge, however, is on whether the nationwide law would preempt state laws, including the CCPA, or serve as a foundation for states to build upon. It will be important to monitor the policy situation in Washington in the coming months, as it is unclear which direction Congress will go.
