Under the California Consumer Privacy Act, which takes effect in 2020, consumers will have the right to opt out of the sale of their personal data to third parties, and request that businesses delete their information. The law calls for noncompliant companies to be prosecuted by the California attorney general’s office and fined up to $7,500 for each violation.
But after months of strenuous lobbying by technology companies, which are increasingly clashing with privacy advocates in Sacramento, it appears California consumers may end up having to fend for themselves. That’s because the office of Attorney General Xavier Becerra says it is ill equipped to prosecute data privacy, and predicts it may be able to handle only a handful of the most egregious cases per year.
Consumers have for years suffered blatant privacy abuses from companies that claim to be responsive to their requests for anonymity.
After seeing their names with birthdays, addresses, phone numbers and speeding tickets displayed online for the world to see, thousands of American consumers have been taking their complaints to the Better Business Bureau to try to remove their information from people search sites such as Mylife.com, Spokeo and Whitepages. One irate contributor to the bureau’s forum, Mark Perna, 45, said he called Mylife.com, a Los Angeles-based company that has tallied 9,242 complaints, requesting his information be removed. “If someone wanted to, they could stalk someone,” said Perna, who is a D.J. living in San Diego. After getting no satisfaction, he reported the company to the state attorney general.
More Staff for Just a Few Cases
But he might not get much help from California regulators. Stacey Schesser, supervising deputy attorney general on consumer protection, testified in a state Senate hearing in April about how limited her office’s enforcement capabilities were. She said that even after the planned expansion of her privacy team to 23 people under the governor’s proposed $4.7 million budget for the department, she would still have the ability to prosecute only three cases a year.
That calculation came from reviewing the number of hours spent in the past on similar types of cases. The new staff will have a “multitude of responsibilities” — handling investigations, litigating violations and proposing adjustments to the regulations themselves. Enforcement of the new privacy law can stay effective only if it responds as technology evolves.
The law will cover businesses that fall into any of three categories: those that earn more than half their revenue from the sale of consumers’ personal information; those with more than $25 million in gross revenue; and those selling or sharing personal information of 50,000 or more consumers, households or devices.
“The issue here is that there’s 40 million Californians, and the scope of businesses that the CCPA applies to is significantly large,” said Schesser.
But there is wide disagreement about the number of firms that will have to comply with the California Consumer Privacy Act, to say nothing of more than a dozen other proposals in various states of development in the Legislature. There is no official list of companies, and thus no estimate of the portion of the state’s economy that could be affected when the law takes effect.
Records Request Denied
In response to a Legislative Open Records Act request for lists of companies expected to come under its regulatory scrutiny, the attorney general’s office replied that it had no such records. The office also refused to release any documents or correspondence under a request that would shed light on the office’s strategy toward specific companies, including large tech firms and people search companies. Among other reasons, it said “regulation-related work product is confidential and exempt from disclosure.”
Non-governmental estimates of the scope of the regulations suggest that compliance could be a major headache not just for a multitude of California-based companies, but also those in other states, based on the broad wording of the regulation — something industry lobbyists are hard at work to change.
A survey by the International Association of Privacy Professionals argued that half a million U.S. companies could be affected by California’s privacy law, based on Census Bureau data from 2015.
California’s privacy law “is effectively a national law,” said Colin O’Malley, principal of consultancy Lucid Privacy Group and co-founder of privacy app Ghostery. “It’s extremely difficult to carve out a market as large as California. Many folks in the digital media space are going to be treating everybody as a Californian.”
From an international perspective, it’s clear that California has its work cut out for it. Deputy Attorney General Schesser compared the number of staff she will be overseeing with her Irish counterpart. With a population of 4.8 million — one-eighth of California’s — Ireland maintains a data privacy unit of 140 officers to enforce Europe’s General Data Protection Regulation, enacted last year.
Schesser said the attorney general’s office is “way understaffed” to handle California’s new law, which she called “groundbreaking” because it is the most ambitious privacy legislation enacted in the United States to date.
‘Private Right of Action’ Proposed
The attorney general’s office is in a tough situation because introducing a law “is a totally different skill set” from the investigations or litigation that are the norm, said Travis LeBlanc, partner at Palo Alto-based law firm Cooley LLP and former chief of the Federal Communication Commission’s enforcement bureau. The attorney general’s office is “fundamentally a law enforcement agency,” he said, “not a regulatory agency that is designed around promulgating policy.”
To mitigate its inability to pursue many violators of the new law, the attorney general’s office has endorsed a proposal to allow individuals to challenge violators in the courts.
To ensure that consumer “opt out” requests do not go ignored, Becerra wored with state Sen. Hannah-Beth Jackson, a Democrat from Santa Barbara who is chair of the Judiciary Committee, to draft a bill to permit a so-called private right of action with regard to data privacy cases.
“The attorney general is your basic criminal law enforcement and civil rights officer in the state,” Jackson said, adding that she was seeking ways other than to “put the entire burden on the attorney general.”
The bill, SB 561, was voted down in a committee hearing May 16. It would have embraced a key concept in Europe’s privacy law, the ability for consumers to file civil suits. It also would also have removed language allowing businesses to avoid fines as long as they “cure” privacy violations within 30 days of being notified that they are not following the rules.
Giving Consumers Power
The original intent of the California Consumer Privacy Act was to give consumers “the ability to control how their information is used and whether or not a company can retain that,” Schesser said, so giving consumers the right to take action against companies represents “fundamental fairness.” She said private right of action would “work in parallel” with prosecution by the attorney general.
Many nonprofit advocacy groups, such as the American Civil Liberties Union, the San Francisco-based Electronic Frontier Foundation and the Sacramento-based Consumer Federation of California, support the idea of expanded rights to civil action.
“For a consumer protection law to have real teeth, it should have a private right of action, which allows for consumers to file a class action,” said Richard Holober, executive director of the Consumer Federation of California. “That is a generally much more impactful deterrent against corporate misbehavior than penalties” that would be enforced by the government.
But SB561 faced an uphill battle. Many organizations, including industry groups, opposed the bill, and it was so contentious that last summer the private right of action was stripped from the original draft of the main privacy law before the Legislature approved it.
‘Unfair Burden on Businesses’
SB561 was stopped in its tracks in the Senate Appropriations Committee. Jackson said she was evaluating her options and considering next steps.
The business and tech industry was pleased to hear the bill was defeated.
“Allowing direct consumer private actions could become a big issue for companies,” said Dan Rosler, vice president for business opportunities at advertising technology firm Flashtalking, based in San Francisco. “Companies could literally be driven into bankruptcy regardless the merits of the cases.”
Jackson has been able to keep the bill alive by offering to sit down and work out the language of the bill with opponents such as the California Chamber of Commerce and the Internet Association, which represents tech giants including Facebook, Google and Amazon.
“This bill would roll back the most critical agreement leading to the CCPA — that this complex, new law would be enforced by a regulator,” Sarah Boot, policy advocate for the California Chamber of Commerce, said at the April hearing. “SB561 would allow thousands of trial attorneys to test a business’ ability to perfectly comply with the complexities of this new law.” Boot called the bill a “significant and unfair burden on businesses.”
Other senators have been skeptical of the bill. Sen. Andreas Borgeas, Republican from Fresno, called it “red meat for trial lawyers” and said that “a ravenous frenzy” of privacy cases brought forth by consumers would have a chilling effect on business.
Sen. Bob Wieckowski, Democrat from Fremont, represents a district that is home to major Bay Area tech companies, including electric automobile maker Tesla. Wieckowski said he was “not comfortable” supporting the bill, although he generally supported a private right of action.
“There are a lot of people who don’t want to let people be able to access their own lawyers,” to address privacy violations, Jackson said.
She said she would work with all sides to create an enforcement mechanism that is effective for the “94 percent of Californians who want their privacy rights protected.”
Meanwhile other lawmakers, including state Sen. Thomas J. Umberg, Democrat from Santa Ana, have proposed that district attorneys and city attorneys in large cities support the state in enforcing the new privacy law. Both the attorney general’s office and Jackson said they were looking into such possibilities.
Reporting was supported by the Fund for Investigative Journalism.
Updated 5/17/19 to note that SB 561, a bill to create a “private right of action,” was voted down in a committee hearing Thursday.
Correction 5/16/19: A previous version misidentified the headquarters for Cooley LLP.