I’m in beautiful Dana Point, California for the annual Local Search Association conference (a blog post all about it to follow tomorrow), enjoying the views, the atmosphere, and the news that data security is still top of mind for leaders in the Golden State. Just yesterday, California AG Xavier Becerra proposed an amendment to the California Consumer Privacy Act (“CCPA”) that would drastically strengthen its enforcement components and empower citizens to file private causes of action. Interestingly, Twitter was pretty quiet about it, which means the news hasn’t really gotten around. When it does, the reaction is unlikely to be muted.
A serious reaction wouldn’t be out of place. We’ve discussed before how significant a private cause of action can be, and just how costly statutory fines are. Put briefly, if a law provides both a right and a remedy (in the form of a right to sue), that right will be exercised, frequently. For instance, California’s Unfair Competition Law and False Advertising Law both empower citizens to sue for misleading advertisements or unfair trade practices. Lawsuits under the two acts are a cottage industry, with millions of dollars in legal fees and settlements each year. If CCPA creates a similar ability to sue, the outcome will be no different.
Less well understood is what’s called the “right to cure” provision in CCPA as drafted. As the name suggests, the right allows companies to correct their mistakes — whether in data handling, transparency, response to complaints, or otherwise — before the Attorney General has the authority to begin an enforcement action. Think of it as kind of a data privacy mulligan: sure you improperly sold personal data to third parties, but if you stop, today, the AG won’t sue you for $2,500-$7,500 in statutory damages per violation.
That approach, in AG Becerra’s view, is too lenient, which is why the proposed amendment “removes language that allows companies a free pass to cure CCPA violations before enforcement can occur.” On the one hand, you can see the principle behind this. Privacy is a fundamental right in California’s constitution, and so why should a company that violates both the state Constitution and a statute be allowed a freebie? We don’t tell criminals “just this once, you little scamp, but never again.”
On the other hand, given the lack of certainty around the law (as recent testimony to the California Senate demonstrates), it’s hard to argue with the notion that companies may inadvertently violate the act without any ill-intention, and certainly without the financial wherewithal to manage the hefty fines they can incur. More than this, the change reflects an approach to enforcement that is oriented towards policing, rather than education. That is, it appears that the AG’s office considers CCPA more of a tool for enforcing behavior, rather than for guiding business towards best practices. The latter will naturally follow, the thinking goes, when people see a few hefty fines come down. It’s exactly what the Consumer Finance Protection Board tried to do in its first few years of existence.
Obviously, a proposed amendment is not the same as a law, and CCPA will almost certainly look different in a year than it does right now. The crucial lessons to draw from this proposal, though, are that:
- Robust enforcement of CCPA, whatever its final form will be, is all but guaranteed;
- The California AG is likely to be actively looking for violators to use as test cases/examples;
- Confusion over the scope or nature of the law will continue, but will probably not be enough to forestall enforcement actions, and;
- A concerted effort to employ best practices as early as possible is important, given the act’s one-year lookback period.
Those four statements should feel familiar, because they describe, precisely, the situation prior to GDPR’s effective date in May 2018. And they will feel familiar again in six, twelve, eighteen months, when states like Washington or Massachusetts enact their own highly aggressive data privacy laws. The bottom line is that, regardless of where or how your business operates, American data privacy laws will soon have a greater impact on your activities. That means the time to create, improve, or expand your privacy program is now.