Consumers Union, the advocacy division of Consumer Reports, thanks you for considering legislation to grant consumers new privacy protections. The United States is one of only a handful of advanced nations that lacks comprehensive privacy protections to safeguard consumers’ personal information, even as data collection and sharing practices have become more and more prolific and aggressive.
Consumers Union was an early supporter of the California Consumer Privacy ballot initiative, and we applaud many of the provisions from that initiative that have been included in the amended AB 375. Given the current state of the law, we appreciate that the bill advances consumer protections in several ways. Not only does AB 375 give consumers the ability to access the information that companies have about them, it also extends to consumers the right to control the sale of their data. While many companies offer voluntary opt-outs today, AB 375 provides consumers with a significant new legal right that may allow them—or intermediaries acting on their behalf—to take simple and effective action to stop the sale of their information to data brokers and advertising companies.
AB 375 also provides new security protections in the wake of the Equifax data breach, in which the personal information of nearly 150 million consumers was compromised, leaving them more vulnerable to identity theft. The breach demonstrated that companies do not always take appropriate steps to safeguard consumers’ sensitive information. And Equifax is just one breach of many such companies—in 2016, there were nearly 1,000 data security incidents affecting financial institutions alone. While federal and state laws require financial services companies like Equifax to adhere to reasonable data security standards, they lack penalties. With this bill, the Attorney General can hold businesses accountable for failure to use reasonable security practices.
However, we have serious concerns about certain aspects of AB 375 that deviate from the ballot initiative language and that introduce very troubling concepts into the law. Most notably, AB 375 lacks sufficient enforcement to ensure that this bill is truly meaningful for consumer privacy. We are particularly troubled by the “right to cure” provision included in the bill which, depending on how it is interpreted, may enable a business to evade all liability for behavior proscribed by the statute if it remedies its behavior within 30 days of receiving notice of noncompliance. Many bad privacy practices are completely invisible and undetectable by consumers: under this provision, a company might be able to flagrantly violate the law, and only cease its behavior once its privacy-invasive practices were discovered. Companies should not have to receive legal notice from the Attorney General before being legally responsible for following the law. We also oppose the provision that allows companies to charge higher prices to consumers who decline to have their information sold to third parties. Under the California Constitution, consumers have an inviolable right to privacy. Consumers should not be charged for exercising that right.
Despite these concerns, we recognize that this bill advances protections at a time when consumer privacy is most under threat. We sincerely appreciate the leadership of Asm. Chau, Sen. Hertzberg, Sen. Dodd, and the ballot initiative’s sponsor Alastair MacTaggart for working under enormous time constraints to try to craft positive new protections for Californians’ personal information. We look forward to working with you to address our concerns, and to enact more substantial and comprehensive reforms to California’s privacy and security framework.