Like the spluttering of an old car that won’t start, the federal privacy law sits motionless on the starting grid, while California takes pole position in the regulatory race for data privacy.
The EU’s General Data Protection Regulation (GDPR) set the pace back in May 2018, but California’s Consumer Privacy Act (CCPA) has since made up ground, to become the second fastest privacy law to be created, and now putting pressure on its counterparts.
…but that’s nothing new for a U.S. state with a long track record of implementing industry changes.
Now, with less than five months to go before California’s new privacy law comes into effect, tech giants and privacy advocates with conflicting ideals face a showdown, as Silicon Valley launches a last-ditch attempt to swing the law in its favor.
Sarah Boot is a lobbyist for the California Chamber of Commerce, which has been pushing to narrow the types of data covered by the law, as well as other changes. She said:
The stakes are astronomically high because businesses of all sizes across every industry are expected to comply with the letter of this complex law in less than five months.
The CCPA comes into effect on January 1, 2020. And efforts by businesses hoping to grab one last chance at influencing changes to the law, have so far, been thwarted.
With less than four weeks to go before the legislative session closes, various trade associations representing the interests of tech giants such as Facebook and Google, plus a multitude of other corporations, are revving their engines in preparation of a final lobbying assault.
During the second quarter of this year, hundreds of thousands of dollars were spent by industry groups seeking to influence privacy legislation, according to lobbying disclosure reports.
Data privacy advocates, who have made two unsuccessful bids to reinforce the 2018 law, are now saying their goal is simply to keep the Privacy Act intact.
Lee Tien is a senior staff attorney for the Electronic Frontier Foundation, a San Francisco-based group that advocates for stronger consumer protections online. Tien said:
We’re basically looking to hold the line on everything,
… we’re watching for gut-and-amends and the usual shenanigans on the floor.
According to the CCPA, any company that does business in the state of California, irrespective of whether it is physically located presence in the state, is required to disclose upon request, the personal information they hold on any individual who is a California resident.
The law also provides for Californian residents to instruct a business not to sell their personal data, or to delete that data altogether.
Several proposals from both advocates and opponents of the new law have been hampered this year, partly due to concerns about potential deviation from the privacy deal agreed in 2018.
It is no secret that lawmakers wasted no time in putting the CCPA together. And last year, business groups received assurances that they would have an opportunity to propose any changes to this speedily-passed law, before it takes effect in 2020.
However, according to the California Chamber’s Sarah Boot, several “crucial fixes” proceeded swiftly through the state Assembly this spring, only to be later blocked in July by the state Senate Judiciary Committee, literally days before lawmakers broke for the summer recess.
At a late-night hearing, the committee threw out a bill to narrow the definition of the term “personal information.” And another high-profile bill designed to create broad exceptions to the law, which would allow businesses to provide consumer’s personal information for purposes including fraud detection, was withdrawn before the hearing.
Despite this, some bills remain on the table. One such bill is CA AB25 (19R), which, if passed, would provide for businesses to verify the identities of consumers making information requests.
The ever-growing list of scandalous data breaches and privacy violations involving Facebook, Google, Capitol One, Marriott, Yahoo and many other companies, has fueled the race to influence data privacy legislation. And every time an incident of privacy violation is exposed, there is more public outcry over intrusive tracking practices and the government’s failure to properly protect the privacy of its citizens.
How it all began
According to Newsfns, the California Consumer Privacy Act “passed not long after the European Union adopted its own set of consumer-data rules, came into being in quintessential California fashion. A multimillionaire developer muscled it through the state Legislature using the threat of a statewide referendum on data privacy. If the referendum had passed, it would have enshrined sweeping consumer protections in the state constitution, including the right for consumers to file class-action suits against alleged violators.
The developer, Alastair Mactaggart, withdrew the ballot measure in exchange for the Privacy Act’s passage.
The effects of California’s law — which state Attorney General Xavier Becerra is scheduled to enforce beginning next summer, six months after the law takes effect — could ripple far beyond the state’s borders.
While Californians are the only ones who will wake up on Jan. 1 with new rights under the state law, some companies might find it impractical or simply a bad public-relations move to deny privacy requests made by people living in other states or countries, said Kristen Mathews, an attorney whose firm, Morrison & Foerster, is advising clients on the law.
CCPA … a proof of concept
The California law also could inspire other state legislatures to take similar steps, said Chris Conley, a technology and civil liberties policy attorney for the American Civil Liberties Union of Northern California.
It is a proof of concept, … If the sky doesn’t fall, it becomes much easier for other states to say, ‘Look, California has done this. They have a large percentage of the U.S. population, the California technology economy is still humming right along, this is not actually going to end the internet as we know it, so that’s workable.’
In Washington, lawmakers from both parties say they have not given up on a national standard, despite disagreements. One of the biggest sticking points is whether federal law should block states from adopting additional protections, an idea favored by Republicans but batted down by California Democrats intent on preserving the Privacy Act.
“We want to keep moving forward up here,” Sen. John Thune, a South Dakota Republican and GOP whip, told POLITICO. “Our job is to try to put a policy in place that would protect people’s privacy and not allow for a patchwork of state laws to create just a lot of uncertainty.”
But business interests hoping the federal government will nullify California’s Privacy Act with a single federal standard might be disappointed, said Dan Schnur, a former Republican strategist who now teaches at the University of Southern California’s Annenberg School of Communication. He said:
For the tech community and for other opponents of the privacy bill, the likelihood of Congress riding to the rescue is beginning to look less and less likely
Rep. Anna Eshoo (D-Calif.) has been adamant that lawmakers representing Silicon Valley be central to any federal deal, and that any deal doesn’t undermine her home state’s groundbreaking law.
Still, she said in an interview, it’s important for Congress to act alongside California — and soon. The absence of federal regulations has allowed consumer privacy woes to grow “into a monster in some ways,” she said. “It’s not what people signed up for.”“