California residents could be getting even more rights when it comes to protecting their data.
State officials proposed a new amendment to the California Consumer Privacy Act (CCPA) on Monday that would allow consumers to sue companies that violate the new law. Currently, consumers can only file a lawsuit if they're victims of a data breach and only when the state's department of justice has decided not to sue on consumers' behalf.
The CCPA, which was passed in 2018 and goes into effect in 2020, is the toughest privacy legislation in the United States. It's also the first law in the country that gives people control over the use of their personal data.
Key parts of the law include prohibiting businesses from discriminating against consumers who exercise their rights and requiring businesses to disclose how they collect and share consumer data. It also lets consumers request that their data be deleted and makes it possible for people to opt out of the sale or sharing of their personal data.
The proposed amendment would give people more avenues to pursue their own resolution in court for any violation of the CCPA.
California Attorney General Xavier Becerra and State Senator Hannah-Beth Jackson unveiled the amendment at a press conference in Sacramento on Monday afternoon.
"If [companies are] violating your right, they're probably violating the rights of a lot of other people," Jackson said. "The purpose of this litigation is not to punish this behavior, it's to deter it. It's to make these companies comply with the law. If there's no punishment, if there's no accountability, they're going to keep doing it because it makes them money."
Consumers would be able to sue companies for misusing their data or suffering a data breach. The law would apply to tech companies like Facebook and Google as well as any other businesses that collect and handle personal information such as Marriott or Amazon. Facebook declined to comment. Google and Marriott did not respond to a request for comment.
James P. Steyer, CEO of Common Sense, a non-profit organization that promotes safe technology use, said the amendment will take some of the burden of enforcing and monitoring violations off the attorney general's plate.
"Companies with endless resources will do everything they can to make it difficult for the AG," Steyer said in a statement. "By allowing consumers their own right to take action to hold bad actors accountable for violating their privacy, this law adds needed enforcement teeth to CCPA and Common Sense is firmly in support."
The amendment would also remove the current waiting period that gives businesses 30 days to attempt to remedy a violation and retract any exposed data from public view to avoid penalties.
Additionally, under the amendment companies would no longer be able to ask the state DOJ for "free" legal advice about complying with the privacy law — a benefit that was included in the original privacy law.
"The California Department of Justice serves the state of California and its 40 million people collectively," Becerra said. "We protect them and their rights. We do not give out free legal advice, which is what this would translate into. It would be free legal advice to that business at taxpayer expense."
The amendment would instead allow the Attorney General's office to publish general guidance for companies complying with CCPA that anyone could access.
This new amendment follows legislation proposed on Thursday that would require companies to notify California residents when their passport, passport card or green card numbers are compromised in data breaches. It would also require customers be notified of compromised biometric information such as fingerprints.
California is the first state to have legislation like the CCPA, but other states are using it as a potential framework for adopting their own privacy laws.
Congress is also considering a national law that would address consumers' right to protect their data. While companies have lobbied for a law that would overrule the CCPA, state legislators have urged Congress not to nullify the consumer protections attained in the act.