CCPA: Congress’ Model for Data Privacy - or Oblivion?

It’s not often that lawmakers of both sides of the house, businesses and tech industry lobbies, are in total agreement. However, they appear to be united in the view that this session of Congress could be the best chance in years of passing effective data privacy legislation.

…but that’s not to say it has the best chance of success.

It is widely acknowledged that California’s development of a data privacy law, based on the European Union’s General Data Protection Regulation (GDPR), has propelled members of Congress forward, to create a federal privacy protection regulation. And certainly, various scandals involving some of Silicon Valley’s biggest tech firm and the misuse of social media during the 2016 election, has given lawmakers the cover to take on tech giants.

Under California’s Consumer Privacy Act (CCPA), which comes into effect in 2020, California residents can demand that businesses reveal what personal information has been collected about them, and whether their data is being sold or shared with third parties. Consumers can also legally require a company to delete their personal information. Moreover, the CCPA will allow individuals to seek damages from companies whose negligence leads to breaches of personal data.

Some companies welcomed the bill, while others whose business model relies on the collection and sale of user data want to see a federal law scale it back. Also, many businesses would prefer to avoid having to deal with a mishmash of state laws on top of the EU’s GDPR rules, which state that firms must obtain people’s “informed and unambiguous” consent for processing personal data, as well as requiring them to report data breaches to the supervisory authorities.

Meanwhile, proponents of data privacy want to see decisive moves to pass robust legislation at federal level, setting a national ‘standard’ that matches, or exceeds California’s CCPA.

But even with a strong desire to reach agreement, there are several ‘sticking points’ which could scupper majority-held aspirations, including how to deal with state laws set up by California, as well as other states that are hot on its heels. As always, when it comes to Congress, the safe bet is on inaction.

However, lawmakers, lobbyists and advocates still see a real opportunity.

Sen. Roger Wicker, R-Miss., who chairs the Senate Commerce Committee commented:

“I think that it’s one of the bipartisan, bicameral issues that can land on the president’s desk and should land on the president’s desk, …I think we can do it, and we need to do it. It’s an imperative.”

Senator Wicker is currently working with fellow Republican Sen. Jerry Moran of Kansas and Democratic Sens. Brian Schatz of Hawaii and Richard Blumenthal of Connecticut, to draft bipartisan legislation on the Senate side of the Capitol. By all accounts, the group is making substantial progress.

Meanwhile, skeptics have good reason to be pessimistic, beyond Congress’ continuous struggle to pass almost any legislation. Several years ago, as breaches of personal data started to become more common, Congress considered passing a bill requiring consumers and authorities to be notified of such events, as dozens of states were doing independently. In the end the effort failed, and every state passed its own law.

Several state attorneys general at a recent privacy conference in Washington predicted that the same thing could happen in the data privacy arena, with California’s new law ultimately serving as a model for other states. Attorney General for Vermont, T.J. Donovan is among those who are doubtful that federal lawmakers can agree on a unified approach.

“Until they do, you will have states act on this issue,” Donovan said. “I don’t think you’re going to see state (attorneys general) abdicate their responsibility to address their consumer protection responsibilities.”

However, some experts see greater momentum for privacy legislation in Congress because of the issue’s existential nature to many companies. The handling of users’ data is essential to the fabric of most companies, from the way their websites are designed to the way a business model works. Complying with different state laws would be virtually impossible for companies that operate online, the industry fears, bringing them to the table for action.

Several approaches for a federal privacy law are being discussed in Washington. Privacy advocates want companies to take on more responsibilities than consumers. This could mean banning certain practices such as using personal data to discriminate against consumers and giving individuals the right to take legal action in cases of misuse of data. Advocates argue that consumers should be in control of their own data in most cases. This would include the right to have their data corrected if it’s wrong, receive a readable copy of the data, or have it deleted completely.

As veterans of the California fight refuse to wait on Washington to get its act together. Jim Steyer, CEO of Common Sense Media, an advocacy group that helps families navigate media and technology, called California’s CCPA a landmark bill that could be replicated in Congress.

Mr Steyer said lawmakers working on the issue are serious and that he has advised many of them. But he still doubts that anything can pass these days, much less strong legislation.

“The question is, can Washington overcome its dysfunctionality?” Steyer said. “We are skeptical as to whether or not Congress can get its act together, and our bottom-line position is if there is federal privacy legislation, it has to be stronger than the California privacy law.”

Steyer added, if it’s not then advocates will have no trouble focusing on the state level.

“The entire tech industry is not going to agree with this, and some of the companies will spend hundreds of millions of dollars trying to water down the legislation, like Facebook and Google, maybe,”

As we all know, Congress is notorious for its propensity toward inertia. So, it wouldn’t be too difficult for either side of the debate to withdraw support if a bill doesn’t match up to the status quo. Meanwhile, those who want to see action are hoping that even debating and advancing ultimately unsuccessful legislation could amount to progress.

 Are you in favour of federal data privacy law?
Or do you think each state should be responsible for implementing its own regulation?

Sources: San Francisco Chronicle