As technology continues to become more pervasive, consumer privacy has become a hot-button issue for policymakers. Greater access to the internet, smart devices, and social media platforms have connected the world and made life more convenient, but they have also raised privacy concerns as these providers vacuum up more consumer data.
California Takes the Lead
The first big mover in this space was the European Union, which gave consumers more control over the data that private companies collect about them by enacting the General Data Protection Regulation (GDPR). The GDPR became enforceable in 2018.
That same year, the California Legislature passed its own landmark privacy law with the California Consumer Privacy Act (CCPA). The law, which goes into effect in 2020, requires entities to provide notice to consumers regarding what information is collected about them and gives them the right to opt out of the entity selling their information to third parties and have that information deleted.
The legislation was rushed into law to prevent a similar, but more far reaching ballot initiative set to go before voters that November, leaving lawmakers to amend the law during this year’s session before it takes effect. One proposed bill (CA SB 561), which California Attorney General Xavier Becerra (D) supports, would provide a private right of action for private citizens to file lawsuits against companies that collect data and are accused of violating the privacy law’s provisions. That bill was held up in committee in May and appears to be dead, at least for this session.
The Mad Dash to Amend California’s Law
Other proposed changes to the CCPA have come from companies concerned that certain terms in the law are too broad or vague. For example, the CCPA does not restrict a company’s ability to “collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate.” However, it is still unclear what constitutes deidentified and aggregated data exempted under the CCPA. Additionally, information that is “publicly available” does not qualify as “personal information” under the CCPA, though the law narrowly construes “publicly available” as only that information produced by the government. One proposed bill (CA AB 874) seeks to better clarify what constitutes “personal information.”
The CCPA defines “consumer” as a "natural person who is a California resident” and does not specify that it has to be a person buying goods. This broad definition has led to concerns that the law could apply to information that employers collect from employees. Consequently, a proposed bill (CA AB 25) seeks to exclude employees from the law.
The law also prohibits companies from discriminating against people who exercise their rights under the law, but that provision has raised concerns that loyalty programs that provide discounts to certain customers could be ruled as violating the law, something another proposed bill (CA AB 846) seeks to fix.
Other States Look to California as an Example
State lawmakers in Washington attempted to follow California’s lead with a comprehensive privacy bill (WA SB 5376) earlier this year that had the backing of tech companies like Microsoft. That bill borrowed many of the GDPR and CCPA’s principles, but it carved out exceptions for some current data collecting practices.
The bill easily cleared the Senate, but once it was referred to the House, consumer groups and the ACLU raised concerns over those exceptions and the lack of a private right of action to enforce the law. These groups also wanted a moratorium on facial recognition technology. The bill stalled in committee and the Washington State Legislature has adjourned its 2019 legislative session.
A New York bill (NY SB 5642) would emulate the California law in many ways, such as requiring notice on certain types of information being collected, requiring consent before information is shared with a third party, and giving consumers the right to have information deleted. Unlike the California law, however, it includes a private right of action. The proposed law would also apply to companies of any size, unlike the California law. The CCPA applies only to businesses with at least $25 million in annual revenue.
Other states have proposed legislation that would mirror the California law, such a proposed bill in New Mexico (NM SB 176) that failed to pass before adjournment. Lawmakers in Illinois, Massachusetts, Minnesota, Pennsylvania, Rhode Island, and Texas also introduced comprehensive privacy legislation this year. Lawmakers in other states have introduced legislation that apply to certain industries, such as enacted bills in Maine (ME LD 946) and Nevada (NV SB 220) that grant rights to consumers before internet service providers share consumer information with a third party.
California as the De Facto National Standard?
This leaves all eyes on California. Whatever form the CCPA takes when it goes into effect in 2020 will become the new standard for lawmakers in other states. Additionally, once certain provisions become enforceable in a large and influential state like California, many companies will change their policies nationwide instead of avoiding the Golden State or setting up different policies for each state. To avoid this outcome, many industries would rather have Congress act on this issue to set a uniform national standard. However, so far Congress has failed to take major action on privacy, leaving an opening for states like California to set the standard.
What have other states done in 2019?
During the 2019 legislative sessions, several state lawmakers introduced legislation requiring consumer consent and/or the right to opt out of the collection and sharing of consumer data. Three states had enacted bills so far this year—Maine, Massachusetts, and Nevada.