ARMA President-Elect Says Expanded California Privacy Bill ‘Ups the Ante’ for IG

Written on March 5, 2019.

California Attorney General Xavier Becerra endorsed a bill last week that expands the state’s new privacy act to permit consumers to sue companies over their handling of personal data. The privacy law that was passed in 2018 gave consumers the right to sue only in the case of a data breach. The new bill allows them to sue over any violations.

Becerra acted against the wishes of tech lobbyists, according to Reuters.

Jason Stearns, ARMA’s president-elect, says the expansion of “the most significant change in the U.S. privacy landscape” heightens the need for a strong IG program within organizations.

“This proposed bill supported by the AG ups the ante yet again and reinforces the need for organizations to have a robust privacy program that is fully integrated into an overall information governance framework,” he told ARMA.

The expanded bill cuts a provision that gives businesses 30 days to “cure alleged violations without penalty. It also says that companies are no longer entitled to seek the guidance of the AG’s office on whether they’re in compliance. “We do not give out free legal advice . . . paid by taxpayers,” said Becerra. Instead, the office will publish general guidance on how to comply.

One way to begin to comply, Stearns advises, is to acknowledge that the days of “keep everything” are behind us: “Organizations must be proactive and aggressive in their efforts to identify, control, manage, and ultimately disposition the data they collect and create, particularly personal data.” The tech lobby claims that such wide-ranging protections will be “staunchly” fought in Sacramento and Washington. Further, as Reuters reports, many business groups are pushing for a national privacy law that would supersede state legislation before the California Consumer Privacy Act takes effect in January.

Photo by Franco Folini.