Do we need the CCPA whistle-blower provision back?
The California Consumer Privacy Act of 2018 followed an unorthodox path to approval. It started as a ballot proposal set to be voted on during the November 2018 cycle. During the last two weeks of July 2018, in a flurry of activity, a deal was struck between the ballot proponents and Sacramento to pass a legislative version of the proposal, on condition that the ballot initiative be dropped. This history has now been enshrined under Cal. Civ. Code §1798.198 (b), which states that CCPA will go into effect “only if initiative measure №17–0039, The Consumer Right to Privacy Act of 2018, is withdrawn from the ballot pursuant to Section 9604 of the Elections Code.”
There were changes between the ballot proposal and the approved text of the law. One change was the deletion of a provision for whistle-blower enforcement. It had stated that “[a]ny person who becomes aware, based on nonpublic information, that a person or business has violated this Act may file a civil action for civil penalties,” and provided for up to 50 percent of the proceeds from the action being allocated to the whistle-blower.
We can only speculate as to why the provision was struck down during negotiations, but clearly the deletion benefits the industry potentially at the expense of dutiful data professionals who may have identified compliance issues and raised them…