By Spencer Feingold
New legislation introduced in California is aiming to strengthen the state's data privacy enforcement power against big tech companies by giving individual consumers the right to sue them, the state lawmaker who sponsored the amendment told Cheddar Tuesday.
“Right now, the consequences are so weak that companies have no incentive to comply,” State Senator Hannah-Beth Jackson said.
The amendment, SB 561, allows consumers to sue major tech companies under the California Consumer Privacy Act (CCPA), which was passed unanimously by the state’s legislature in June 2018.
California was the first state in the U.S. to give residents legal authority over their online data. Under the CCPA, companies must disclose data collection and use practices, as well as give consumers the right to opt-out of the selling or sharing of their personal information. Consumers also have the right to request their data be deleted.
However, the bill's enforcement mechanisms were weak and all legal action was required to go through the state’s Attorney General’s office.
“A right without a remedy is really no right at all,” Jackson said.
The amendment, introduced at the end of February, aims to strengthen the law by giving everyday consumers the right to sue. SB 561 also removes a section of the CCPA that gave tech companies the opportunity to resolve violations before enforcement occurred.
"SB 561 will ensure that the most significant privacy protections in the nation are robustly enforced,” Jackson added in a statement.
The CCPA emerged in part from revelations of dubious data practices uncovered after the 2016 presidential election, including the Cambridge Analytica scandal, which exposed the illicit collection of personal data from thousands of Facebook ($FB) accounts by a political polling firm.
The scandal showed that the misuse of data has “the ability to impact the way we think and the way we vote,” Jackson said.
The CCPA resembles a lighter form of the European Union’s General Data Protection Regulation, which was passed in 2016 and significantly changed the way online data is handled. One major difference between the two laws is that internet users in Europe must opt-in to having their personal information shared or sold. In California, tech companies are required only to offer an opt-out option. Europe's broad explicit consent mandate has been criticized as an undue burden, especially for smaller companies.
The CCPA does, however, prohibit tech companies from selling data from users under the age of 16 without explicit consent.
“California, the nation’s hub for innovation, has long led the way to protect consumers in the digital age. And as we work to strengthen data privacy law, the world is watching. It’s essential that we get this right,” California Attorney General Xavier Becerra said in a statement.
Tech companies still have until Jan. 1, 2020 to comply with CCPA regulations.