In these uncertain times, California’s businesses are struggling with implementing COVID-19 prevention measures, managing remote workforces, and paying salaries and expenses as they try to stay afloat.
This has been on top of burdens brought on by California’s new sweeping privacy law, the California Consumer Privacy Act (CCPA) which was enacted by the Legislature in late 2018 and took effect on Jan. 1 this year.
While consumers deserve privacy protections, CCPA’s complicated approach has resulted in vast uncertainty and costly obligations for businesses, particularly small moms-and-pops, who have had to implement significant changes to their operations to comply.
Enforcement of the CCPA began in July of this year even while the final regulations were still pending. Attorney General Xavier Becerra rejected requests by the business community for a compliance extension, notwithstanding implementation challenges created by pandemic-induced shutdowns and remote working.
Piling on to their struggles, California businesses may get hit with a new wave of compliance and litigation exposure if Proposition 24 — yet another complicated and sweeping privacy law — is approved by voters in November. Prop. 24, or the California Privacy Rights Act, would replace the CCPA with confusing provisions that duplicate, modify and expand the CCPA.
It is simply too soon to enact another measure that replaces the recently-enacted CCPA. We have not seen the full effects of CCPA on consumers and businesses; California needs time to assess which provisions are working and which are not.
In the case of CCPA, as difficult as it has been to implement, at least the statute is malleable. Since it was adopted through legislation, the Legislature can evaluate, add and take away as necessary with additional legislation.
By stark contrast, Prop. 24, if adopted, would tie the Legislature’s hands. If Prop. 24 proves to be a disaster, the Legislature will not be able to remove problematic areas with legislation. Any changes that don’t “further” Prop. 24 require going back to the ballot with yet another proposition. This is no small feat when initiatives are only voted on every two years and cost millions of dollars just to get on the ballot.
Of particular concern, Prop. 24 cements into statute the CCPA’s vague and broad private right of action. This allows private plaintiffs’ attorneys, rather than qualified state regulators, to sue businesses for alleged data breaches.
Just as we have seen with ADA and Prop 65 lawsuit abuse, a private right of action will enable unscrupulous attorneys to shake down businesses with lawsuits that line their own pockets without any meaningful benefit to consumers. Should Prop 24 result in these harassing lawsuits that often target small and ethnic businesses, again, any fix will require a whole other ballot initiative.
Prop. 24 is not the right vehicle for delivering on privacy protections for consumers. Online privacy is a dynamic and evolving issue; it is critical that our state’s policies be nimble and adapt to ever-changing technology, modes of consumer online engagement, and impact on all stakeholders in the online ecosystem. Moreover, policymaking of this magnitude needs a measured and balanced approach with a predictable framework and reasonable implementation timelines.
If Prop. 24 passes, we will have the worst of both worlds — an expansive and untested new law and the inability to fix or remove problematic areas. Voters need to reject Prop. 24 in November.
Kyla Christoffersen Powell is president and CEO of the Civil Justice Association of California.