California lawmakers blocked an effort Thursday to expand the state’s sweeping new data privacy law, handing a victory the tech industry as it faces mounting scrutiny over how it collects, stores and sells consumers’ information.
The state that is home to Silicon Valley and tech giants such as Facebook passed the country’s most sweeping data privacy law last year. The law gives customers the right to know what data companies are collecting from them as well as the right to delete and restrict the sale of that information. The California Consumer Privacy Act takes effect next year.
Attorney General Xavier Becerra and privacy advocates called on lawmakers to go further this year and give the public a right to take companies to court over violations of the law and to toughen how the state enforces its provisions.
Business groups and the tech industry fought the proposal, arguing it would create unnecessary lawsuits, and the Senate Appropriations Committee defeated it Thursday. It was the latest action in the political tug-of-war over consumer data amid mounting concerns about the influence of the tech industry and prevalence of data-driven technology in everyday life.
“The truth of the matter is the tech world is such a behemoth at this point in time, they have so much money, they have really been driving this whole discussion,” said Democratic Sen. Hannah-Beth Jackson of Santa Barbara, the bill’s author.
Privacy advocates had rallied behind the idea of letting consumers sue companies over violations of the privacy act, such as when companies do not delete data when asked, arguing it would ensure accountability in the tech industry.
Under the California Consumer Privacy Act, consumers have few options for taking a company to court to enforce the law. Otherwise, it will mostly fall on the state of California to enforce the new privacy act.
“There are so many aspects to this where violations could occur but the attorney general could be the only entity that could bring a suit,” Jackson said.
Her bill would also have scrapped a provision that will require the state give a company 30 days notice to fix a violation of the privacy law before the attorney general pursues enforcement action.
Major tech companies, including Amazon and Facebook, had lobbied lawmakers on the legislation, though they are not required to state their position in lobbying disclosure reports. TechNet and the Internet Association, industry groups that represent companies including Facebook, Google and Amazon, opposed the bill when it was filed.
A long list of business groups came out against Jackson’s bill, too, suggesting it would be a boon for trial lawyers and contending enforcement is best left to the state.
The California Chamber of Commerce said the goal of the bill “appears to be lawsuits and attorney’s fees.”
“Compliance with the CCPA should be the goal of any regulatory enforcement and having individual trial lawyers responsible for enforcement as is the case in SB 561 will not serve that goal,” said Sarah Boot of CalChamber.
Meanwhile, business groups are pushing various bills to either tinker with the law or create what could turn into big exceptions.
Grocery stores and other businesses, for example, are backing a bill that would expressly allow businesses to continue operating loyalty card programs.
Other legislation would allow companies to sell data for certain purposes from consumers who have opted out of having their data sold.
Many in the tech industry have pushed for action on privacy laws at a federal level to avoid states adopting different standards. But proponents of California’s law argue it could set a new standard across the country if companies extend the same policies to customers nationwide or at least get used to more transparency.
“While it is only enforced in California, it has, we believe, nationwide influence,” said Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation, which advocates for privacy laws.