The CCPA — Making Things Worse

The California Consumer Protection Act (CCPA) is falsely labeled. Many of its key provisions seriously jeopardize consumer privacy rather than enhance protections. This complex, more than 10,000-word law was hastily passed, in less than a week, with virtually no hearings. It is stuffed with ambiguous, inconsistent, and highly troubling provisions.

ANA has consistently pointed out the numerous flaws with the CCPA. These include:

• The law’s tendency to force companies covered under the Act to develop or dramatically increase the creation of detailed data pools to respond to consumer information requests – a highly tempting target for hackers and identity thieves;
• The extraordinarily broad definition of key terms in the Act that treat innocuous and sensitive consumer data as if they are of equal concern;
• The apparent requirement that consumers make an all-or-nothing choice whether to require companies to completely delete their data, an option that is unlikely to reflect many consumer’s preferred course of action.

California’s legislators should be focusing on fixing these and other fundamental problems with the CCPA.  Instead, there are efforts underway to increase drastically the scope of the penalties in the Act. Last week, California state senator Hannah-Beth Jackson, Chairman of the Senate Judiciary Committee, introduced new legislation (SB-561) that would make the CCPA far worse without helping to protect consumers.

Presently, the CCPA specifically permits a consumer whose personal information is accessed, disclosed or stolen because a business did not maintain reasonable security procedures to institute a civil action for damages.   Senator Jackson now unfortunately proposes to greatly expand the CCPA to allow consumers a private right of action for any CCPA violation – however inadvertent, trivial or harmless. This bill clearly would be a bonanza for trial lawyers and almost certainly lead to a blizzard of lawsuits burdening the California court system.  Under the Senator’s bill, individuals could go to court and bring an action for the most technical – and unintended – CCPA violations, without any need to demonstrate that they have suffered any harm at all!

The CCPA, for example, provides that a business must respond to a verifiable consumer request for information within 45 days. But what if a business is inundated with numerous data requests, and despite its best efforts, the business can’t respond until the 46th day after the request? Or what if a natural disaster like a wildfire takes down the internet connection for many California companies, and they can’t provide the online notices to consumers the CCPA requires? These CCPA violations would have occurred even though the businesses were trying diligently to follow the law. Nevertheless, lawsuits could be filed without the persons filing the suits having to show any harm at all.

This litigation threat is made substantially worse by the fact that Senator Jackson also proposes to eliminate the opportunity for a business to fix a problem before a lawsuit can be filed. The CCPA provides that the California Attorney General must give a business 30 days to correct errors before rushing off to court. Senator Jackson refers to this reasonable cure opportunity as a “get out of jail free” card, but it’s really a common-sense provision that allows companies to eliminate technical, immaterial errors made by entities that are attempting to comply fully with the law’s requirements. 

Small- and medium-sized businesses, which already struggle to make ends and payrolls meet, will be particularly burdened. They would now have to divert precious resources to fight lawsuits, many of which will be extremely expensive, unjustified and trivial. It just doesn’t make sense to require business to spend their assets on escalating court costs and legal fees rather than improving business operations to serve consumers better.

ANA supports strong privacy practices, and the advertising industry has in place many protections (such as the Digital Advertising Alliance (DAA) privacy program) to ensure consumer privacy is safeguarded. But this new bill is extremely problematic and should not be allowed to advance.