Will the Real Data Regulator Please Stand Up? PLEASE stand up?!

California just passed the most robust data protection law in the country last year.  Among other things, the California Consumer Privacy Act (CCPA) provides consumers with the right to know what information a business has about them, the rights to access, delete, and opt out of the sale of that information, and the right to not be discriminated against by a business for exercising those privacy rights.

Unfortunately, the 33-page, 10,000+ word CCPA is incredibly complex and confusing – even fancy privacy experts disagree on the meaning of certain provisions.  That is why the privacy rights created by this law were not intended to be enforced by trial attorneys – but by a regulator.

The CCPA was largely modeled after the European Union’s General Data Protection Regulation (GDPR) – a law that is enforced by regulators who can offer guidance, issue warnings, and impose fines.  Here, the Legislature selected California’s Attorney General to fill that regulatory role with respect to the CCPA’s privacy rights.

There’s only one problem – and it’s a big one.  The Attorney General (AG) is sponsoring legislation, SB 561 (Jackson), that would not only remove himself as California’s Chief Privacy Officer – but eliminate that regulatory role completely.  Specifically, SB 561 would:
• Remove business’ ability to seek guidance from a regulator on how to comply with this confusing and complex law;
• Remove business’ 30-day right to cure an alleged violation of the CCPA; and
• Create an onerous and costly private right of action for trial lawyers to sue for any violations of the CCPA.

Not to state the obvious, but this is really, really bad.  According to the International Association of Privacy Professionals over 500,000 businesses will be required to comply with the CCPA, “the vast majority of which are small-to-medium-sized businesses.”  These businesses are going to need the guidance of a regulator and the latitude that a regulator can offer them to make changes if their good faith efforts to comply with the many nuances of the CCPA fall short.

As for the private right of action, trial lawyers were already rejected as the enforcers of the CCPA.  And for good reason.  We’ve all seen the abuses that have arisen from trial lawyer “enforcement” of the technicalities of government regulations in the employment context with the Labor Code’s Private Attorneys General Act (PAGA) – a law that has resulted in a flood of litigation against California employers, often over technical violations of the law where employees have suffered no harm.  The abuses of PAGA will pale in comparison to the abuses that would stem from trial attorney enforcement of the far more complex CCPA.

Is the AG a perfect fit to be California’s data regulator?  Probably not.  But was he the best available, existing option in the state?  Absolutely.  The AG’s office already has a team of privacy experts – and their Privacy Enforcement and Protection Unit has achieved significant results and headlines since their inception in 2012.  Also, the AG’s office already has the infrastructure in place to ensure that this complex law and its regulations are enforced uniformly throughout the state.

Regardless of who holds the role, California really needs a fully-funded data regulator with statewide reach for the CCPA to work.  The goal of the CCPA should be compliance – not lawsuits and attorney’s fees – and only a regulator can achieve that.

Sarah Boot, Policy Advocate