Three Perspectives on Amending the “California Consumer Privacy Act of 2018”

Three perspectives on amending a recently passed California state law that grants consumers new privacy rights.

Note: This article was written in 2018 for a class assignment and does not represent the views of any person or group.

Abstract— This paper offers three perspectives on amending the “California Consumer Privacy Act of 2018,” a recently passed California state law that grants consumers new privacy rights, including the right to access, receive, and delete their personal information from businesses, and the right to opt-out from data sales. The California legislature is expected to consider amendments before the law takes effect on January 1, 2020. In this paper, we first propose an amendment from the perspective of the Internet Privacy and Productivity Association (IPPA), a hypothetical industry trade association, before moving on to an amendment from Privacy for All (PFA), a hypothetical consumer privacy organization. The views of the author, as a legislative assistant to a hypothetical California legislator, are considered in the final section.

Index Terms— breach, business, California, consumer, data, legislation, personal information, privacy, private right of action, security, security framework

I. IPPA’S VIEW

As an industry trade association that advocates for protecting consumer privacy “while ensuring economic growth, innovation, and responsible use of personal data” [1], we applaud the authors of the “California Consumer Privacy Act of 2018” (CCPA) for their efforts to strengthen consumer privacy in the State of California. However, we must point out that this Act fails to adequately consider the practicalities of business operation and exposes companies to significant legal risk, threatening to hinder future entrepreneurship and innovation.

The CCPA creates a new private right of action that exposes companies to significant legal risk. The Act allows any consumer whose personal information was compromised in a data breach to sue the breached company for up to 750 dollars per consumer per incident without having to prove any actual damages [2]. As these lawsuits can be brought individually or as part of a class action, even a relatively small-scale breach affecting 100,000 consumers could cost a business 75 million dollars in statutory damages, in addition to legal fees [3]. This could be fatal to smaller businesses and would make it nearly impossible for all but the largest companies to provide services to consumers, discouraging start-ups and competition.

The private right of action threatens all companies regardless of their security practices. In theory, a breached company is only liable if it failed to “maintain reasonable security procedures” [2]. However, this term is vaguely defined, and litigating its definition may prove prohibitively expensive. A company that follows all the best security practices could nonetheless fall victim to a sophisticated and potentially state-sponsored attack; yet, a litigious consumer may still argue that the very occurrence of a breach proves that the company’s procedures were inadequate. It is impossible to guarantee total information security [4], and under the current Act, a breached company will be flooded with litigation and liable for expensive statutory damages regardless of the company’s past security practices.

To address this problem and allow for continued business innovation while continuing to protect consumer privacy, we propose to amend the CCPA by creating an affirmative defense to data breach lawsuits for businesses that meet specific security standards [5]. Similar to the State of Ohio’s recently enacted Cybersecurity Safe Harbor Law [6], if a business verifiably implements and maintains compliance with a government-approved cybersecurity framework, this amendment would allow the business to invoke its security compliance as an absolute defense against data breach litigation brought under the CCPA.

This amendment would protect consumers without unduly burdening businesses with excessive risk. As businesses can invoke the affirmative defense only if they meet specific security standards, the amendment would incentivize proper security practices. Naming specific security frameworks as a directly actionable solution to the risk posed by breaches could reduce the sense of helplessness among company executives and lead to more companies improving their security programs, ultimately benefiting the consumers whose data are at stake. At the same time, in the unfortunate event of a breach by an advanced threat actor, the amendment would protect businesses that have implemented proper security controls from being unjustly punished for an attack that is truly outside their control. Without compromising the core purpose of the CCPA, this amendment would ensure that the Act does not create disproportionate legal risk for businesses and stifle innovation and competition.

II. PFA’S VIEW

As a consumer privacy organization that takes every opportunity to “protect the rights of individuals against surveillance capitalism” [1], we welcome the passage of the “California Consumer Privacy Act of 2018” (CCPA), which writes into law the privacy rights that we have long believed every person should be entitled to. However, we are troubled that the right for consumers to directly enforce against violations was removed when the CCPA was converted from a ballot initiative into an assembly bill, leaving a political and often-overwhelmed Attorney General’s Office as the sole source of enforcement for most of this Act.

Most of the CCPA, as enacted, can only be enforced by the Attorney General. This includes the essential provisions that provide consumers with the right to access, receive, and delete copies of their personal information held by businesses, and the right to opt-out of data sales. If a business violates these provisions, a consumer cannot directly file a lawsuit; instead, the consumer’s only recourse is to file a complaint with the Attorney General.

Vesting the Attorney General (AG) with the exclusive power to enforce the CCPA limits the Act’s effectiveness. The AG’s Office has limited resources and cannot pursue every credible consumer complaint [7]. Although the AG may selectively bring enforcement actions against a few large companies to score public victories, most companies will not see enforcement, leaving consumers unprotected. Smaller companies such as data brokers can avoid fully complying with the Act so long as they do not attract too much attention. Moreover, the AG is an elected politician who is subject to lobbying by business interests and regulatory capture; a pro-business AG may choose to deprioritize CCPA enforcement actions, thereby weakening the Act’s power.

To ensure that businesses fully comply with the CCPA, we propose to amend the Act by restoring Section 1798.108, titled “Enforcement by Consumers Who Have Suffered an Injury in Fact,” from the original ballot initiative [8]. This would provide consumers with a private right of action when a business violates the CCPA, allowing affected consumers to sue bad actors for statutory damages. In addition to the original Section 1798.108, we propose to allow consumers to sue for equitable relief, and to recover the costs of these actions if successful, so that non-compliant companies can be compelled to comply with lawful consumer requests. To provide businesses with an opportunity to cure any inadvertent violations, we propose requiring consumers to give 30 days’ notice to the prospective defendant, using language similar to Section 1798.150(b)(1) of the CCPA [2]. By providing consumers with the power to warn and enforce against non-compliant businesses, our amendment would ensure that businesses fully comply with the Act regardless of the incumbent Attorney General’s priorities.

This amendment would advance the CCPA’s purpose without harming legitimate business activities. Under the amendment, businesses that comply with the Act in good faith would not be affected, as they would have 30 days to address any accidental violations without risking litigation. Small businesses and start-ups would also not be affected, as the CCPA’s definition of a covered “business” excludes companies that do not meet the applicable revenue or user-count thresholds [2]. Our amendment would only affect established companies that intentionally violate the CCPA.

III. THE AUTHOR’S VIEW

I share the concerns raised by the Internet Privacy and Productivity Association (IPPA) and those expressed by Privacy for All (PFA), and I support both proposed amendments to the “California Consumer Privacy Act of 2018” (CCPA).

The amendments proposed by the two organizations address specific problems with the CCPA while furthering the Act’s overall goals. Although the IPPA and the PFA may have conflicting interests, one representing businesses and the other representing consumers, their amendments do not conflict with each other. The IPPA amendment focuses on data breaches and the consequent legal exposure, while the PFA amendment focuses on businesses’ compliance with consumer instructions.

I agree with the IPPA that despite significant investments in security, not all data breaches can be practically prevented, and that smaller companies who are breached could risk bankruptcy under the CCPA’s data breach provisions despite their best efforts to ensure security. The IPPA’s proposed amendment would provide an affirmative defense against CCPA data breach lawsuits for companies that implement a government-approved cybersecurity framework, ensuring that companies are not unjustly penalized for being attacked. Because the IPPA’s amendment allows businesses to mitigate the legal risk posed by data breach litigation while encouraging good security practices, I support the amendment.

I also share PFA’s concern that designating the Attorney General as the sole enforcer for most provisions of the CCPA could result in unsatisfactory compliance by businesses, which would reduce the Act’s effectiveness. PFA’s amendment would provide for a private right of action by consumers whose rights have been violated by any covered business, provided that the consumer gives the business 30 days’ notice and the business does not correct its violation within that time. Unlike data breaches, compliance with the disclosure, deletion, and opt-out provisions of the CCPA are fully within the control of the business. Therefore, it is reasonable to expect companies meeting the coverage threshold of the Act to fully comply with its requirements regarding consumer requests. The PFA’s amendment furthers the purposes of the Act by ensuring compliance while giving businesses the opportunity to correct any unintentional errors. Hence, I also support this amendment.

IV. REFERENCES

[1] A. Anton and P. Swire, “Project 1: Amendments to New California Privacy Law,” in Privacy, Technology, Policy, & Law Course Syllabus, 2018.

[2] California State Assembly. 2017–18 Session. (2018, Jun. 28). Assembly Bill No. 375, California Consumer Privacy Act of 2018. [Online]. Available: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

[3] J. Harvey, D. Keating, and P. Swire. Webinar, Topic: “Navigating the California Consumer Privacy Act of 2018.” Alston & Bird LLP, Atlanta, GA, Sep. 12, 2018.

[4] E. Kelly, “Making the government impenetrable to hackers impossible, experts say,” USA Today, Jul. 3, 2015. [Online]. Available: https://www.usatoday.com/story/news/politics/2015/07/03/federal-cybersecurity-opm-hack-not-impenetrable/29468695/. [Accessed Sep. 25, 2018].

[5] Alston & Bird: Privacy & Data Security Blog, “Ohio Enacts Cybersecurity Safe Harbor Law,” Alston & Bird LLP, Sep. 20, 2018. [Online]. Available: https://www.alstonprivacy.com/ohio-enacts-cybersecurity-safe-harbor-law/. [Accessed Sep. 25, 2018].

[6] Ohio General Assembly. 132nd General Assembly. (2018, Jun. 27). Senate Bill No. 220, An Act to provide a legal safe harbor to covered entities that implement a specified cybersecurity program. [Online]. Available: http://search-prod.lis.state.oh.us/solarapi/v1/general_assembly_132/bills/sb220/EN/05?format=pdf.

[7] A. Anton, C. Hoofnagle, and P. Swire. PUBP 4726. Class Lecture, Topic: “California Privacy Law: Session with Prof. Hoofnagle from UC Berkeley.” Scheller College of Business, Georgia Institute of Technology, Atlanta, GA, Sep. 10, 2018.

[8] M. Ross and A. Mactaggart. Ballot Initiative. (2017, Nov. 17). “The California Consumer Privacy Act of 2018.” [Online]. Available: https://oag.ca.gov/system/files/initiatives/pdfs/17-0039 (Consumer Privacy V2).pdf.