Before April 4, 2019, AB 1760 was a benign bill that fixed a few typographical errors in the California Consumer Privacy Act of 2018 (the “CCPA”). After the bill was amended on April 4, AB 1760 turned into a wholesale replacement of the CCPA with the “Privacy for All Act of 2019”. Introduced by Assemblywoman Buffy Wicks (D-Oakland), newly-amended AB 1760 would make drastic changes to the CCPA, increasing its scope, greatly tightening its restrictions on collection and disclosure of personal information of California consumers, and providing a full private right of action for any violation, with presumed damages. See Assemblywoman Wicks introducing the “Privacy for All Act” in this video:
The Privacy for All Act (the “Bill”) builds on the framework outlined by the CCPA, but with several notable changes. Perhaps most notable, the Bill would prohibit businesses from sharing personal information about a consumer that they have collected with anyone else absent the affirmative consent of the consumer (in other words, consumers must “opt-in” to the disclosure in advance). Obviously, if the experience with the California Financial Information Privacy Act (California Financial Code § 4050), which also requires opt-in consent for information-sharing, is any guide, few, if any, consumers would agree to information-sharing under the new law.
The Bill also makes changes to what businesses themselves can do with the data they collect about consumers. Businesses would only be allowed to collect personal information about consumers (1) if it is reasonably necessary to provide a service or conduct an activity that a consumer has requested, (2) as reasonably necessary for security or fraud prevention, or (3) as required to comply with a court order or legal process. These restrictions would likely end the business of collecting and brokering customer data in California.
Further, businesses would only be permitted to retain data that they have collected about customers if it is reasonably necessary to provide a service or conduct an activity that the customer has requested (with a small exception for security and fraud prevention). In other words, when a business is done with the data, it must delete it, even if the customer has not requested that deletion (as would be required under the CCPA).
The Bill would also eliminate the ability under the CCPA for businesses to offer consumers incentives to refrain from exercising their rights under the Bill, including charging different prices and providing different levels of a product or service, even if those differences are reasonably related to the value of the consumer data.
Finally, in addition to enforcement by the Attorney General, the Bill would permit any consumer to sue a business for any violation of the Bill. The Bill provides that “[a]ny violation of this title constitutes an injury in fact”, and provides for statutory damages of up to $750 per violation (or actual damages, if greater than the statutory damages). Finally, in another deviation from the CCPA, the Bill would permit a consumer to recover attorneys’ fees and costs in a lawsuit for a violation of the Bill.
The Bill received its second of three required readings in the Assembly on April 4, 2019, and was referred to the Assembly Committee on Privacy and Consumer Protection and the Judiciary Committee. If you thought the CCPA was draconian, the Privacy for All Act blows the CCPA out of the water in that regard. Let the lobbying begin.