When it goes into effect next year, the California Consumer Privacy Act will be the nation’s strongest privacy law, with the aim of giving Californians more control over their personal privacy in

Still alive: The right of individuals to sue companies under SB-561

Another concern for consumer advocates is that under the CCPA, only the Attorney General has the authority to enforce the law. But, as California AG Xavier Becerra noted in a letter he penned to state senate and assembly leaders, there is concern about his office’s ability to effectively oversee and enforce CCPA’s privacy protections.

Among Becerra’s various critiques of the law were the 30-day cure period, under which the AG’s office would, he argues, essentially give free legal advice to tech companies at the taxpayers’ expense. Becerra also took issue with the lack of a private right of action, a provision that would allow users to sue tech companies to protect their privacy. Currently, the CCPA only allows plaintiffs to sue tech companies in the event of a data breach, but not other kinds of violations of privacy.

Senate bill 561, which is coming up for a Senate vote in a few weeks, would change that. “Under SB 561, people would have that right to enforce their rights in court if there was a violation,” says Snow, noting that this provision would also ease the burden on the AG office’s enforcement of CCPA, which would be constrained by limited resources.

“People are the best enforcers of their own privacy. If we can’t advocate for ourselves, who will?” says Tsukayama. With a private right of action provision, “if you find a company shared information with third-party that you did not opt-in to a relationship with, that would be grounds for a suit.”

Opposition in California and D.C.

Like Washington’s recently defeated algorithmic accountability bill, the CCPA amendments face stiff opposition. In an August 8 letter to California State Senator Bill Dodd, the coalition of California business lobbies requested to be included in CCPA clean-up legislation. In the 20-page letter, which recommended various changes to CCPA, the group argued that privacy compliance will place logistical and financial burdens, both large and small, on businesses in almost every industry.

“For example, the definition of “personal information” includes IP addresses,” the coalition wrote. “As such, this bill ostensibly applies to any business that receives 50,000 IP addresses per year on its website—that’s an average of about 137 unique visitors per day. Many small businesses will have to comply with this bill, regardless of their level of technological sophistication or their resources.”