The California Chamber of Commerce is seeking comments from members on the practical implications of the newly signed privacy legislation, enacted to avert a costly battle against an initiative that was headed for a spot on the November ballot.
The CalChamber and a coalition of businesses and other organizations opposed the legislation, AB 375 (Chau; D-Monterey Park/Hertzberg; D-Van Nuys), as representing a serious threat to the California economy.
Unlike the initiative, however, the legislation can be amended before it goes into effect in 2020. Changes to the initiative if it had passed, would have entailed another vote of the people.
AB 375 imposes many costly and poorly defined mandates on businesses. For example, the bill provides “consumers” with the right to request that a business delete their personal information, but the definition of consumer is so broad that it could apply to employees of a business. AB 375 also creates a private right of action for consumers in the event of a data breach that will result in a barrage of class action lawsuits because it allows for the award of significant statutory damages with no requirement of proof of injury.
Before the passage of AB 375, the CalChamber and coalition voiced serious concerns with the private right of action in the bill as it exposes California businesses to massive, additional liability without providing any corresponding benefits to consumers.
The CalChamber identified similar language in another bill this year, SB 1121 (Dodd; D-Napa), as a job killer.
SB 1121 now has been designated as the technical clean-up vehicle for AB 375.
Problems with AB 375
In a letter to legislators, the CalChamber and coalition urged them to fix problems with AB 375 that include but are not limited to:
• the issues surrounding enforcement;
• definitions of personal information and sale;
• consumer transparency and access;
• the right to delete information;
• certain opt-in rights;
• the mandated “opt out” button;
• the creation of rights like the European Union’s General Data Protection Regulation (GDPR) in language that differs from the GDPR;
• the Attorney General’s regulatory process; and
• confusing language that will be difficult for businesses and consumers to understand.
The CalChamber-opposed initiative removed from the ballot would have placed extraordinary restrictions on business use of personal information. It shifted away from the longstanding focus on protecting sensitive information to propose restrictions on how businesses use any personally identifiable consumer information. It also increased the incentives for filing class action lawsuits, covered all business sectors and would have been especially harmful to the data-driven economy that generates a significant portion of state revenue.
Given the extreme difficulty of amending a flawed proposal adopted via the initiative process, the CalChamber and coalition consider the legislative process preferable for a law that applies to businesses and technology, which are constantly evolving for the betterment of California.