Business Groups Push Calif. Privacy Law Changes

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

An array of state and national business groups are asking California lawmakers to rewrite parts of the state’s new online privacy law, including delaying its effective date until the state attorney general finishes writing implementing regulations.

The California Chamber of Commerce, the California Bankers Association and the Internet Association were among dozens of groups asking for changes in a 20-page letter to state Sen. Bill Dodd (D), the chief legislative sponsor of a pending technical corrections bill (SB 1121).

The letter marks one of the highest-profile pushes to tweak the law, enacted June 28 and scheduled to take effect Jan. 1, 2020. The California legislature is unlikely to enact substantive changes before adjourning at the end of August, but the business groups are likely to continue lobbying for similar amendments next year.

Parts of the California privacy law are “unworkable” and “would result in negative consequences unintended by the authors,” the groups said in their letter. Dodd’s office did not immediately respond to a Bloomberg Law request.

The groups proposed language to clarify that the law’s private right of action is only limited to data breaches, and not other potential privacy violations. They contended that the lawmakers only intended the consumer right to sue to apply to breaches.

The groups also observed that the state attorney general’s office must adopt regulations by Jan. 1, 2020 on how the law is implemented, including a definition of personal information. They want the attorney general’s rulemaking process pushed back to begin at the start of 2020, meaning the law wouldn’t fully take effect for more than a year after that.

“We request clarification that the regulatory process not commence until January 1, 2020 and that compliance not be required until 12 months after the completion of the AG’s rulemaking process,” the groups said in their Aug. 6 letter.

Request Bloomberg Law: Privacy & Data Security