CCPA Privacy Protection: Will the New California Privacy Law be a Catalyst for Federal Action?

The new California privacy law, the California Consumer Privacy Act (CCPA), is causing a great deal of angst within the privacy protection community and Silicon Valley alike. During the recent Privacy. Security. Risk. 2019 conference held in Las Vegas by the International Association of Privacy Professionals (IAPP), it was hard to attend a session where CCPA wasn’t discussed, often agonizingly.

Among other reasons, while this legislation significantly improves the privacy protection for California consumers, and will likely cause companies to provide similar protections to consumers from other states as well, it is unwieldy and confusing, leading one of the speakers to state that “CCPA is a mess”. It is also now imminent. It goes into effect on January 1, 2020, so any company that has customers who are California residents are going to have to figure out how to comply with its provisions.

I learned in one of the conference sessions (CCPA and its Progeny: States Take Control While Congress Weighs a Broad New Law) that many other U.S. state legislatures are also considering and passing laws that are similar to CCPA. Nevada, New Jersey, and Maine were mentioned. These laws will be “something like” CCPA, but all of them will have differences. This situation seems quite similar to how data breach notification laws propagated across the U.S. state landscape. Today every one of the 50 U.S. states, in addition to D.C. and Puerto Rico, have breach notification laws. All of them are somewhat different, and in some cases the laws are even conflicting.

It’s understandable then why Silicon Valley companies seem so concerned about CCPA and its implications. CCPA is described as similar in many respects to the General Data Protection Regulation GDPR) that is now law in the European Union. “It grants state consumers a right to know what information companies have on them, a right to have that information deleted and the right to opt-out of the sale of that information” (TechCrunch, Sept. 2019, Silicon Valley is Terrified of California’s Privacy Law. Good.) Complying with CCPA will be troublesome for many of the companies in Silicon Valley, but more importantly, the provisions to limit the sale and monetization of personal information could be deadly to their business models.

So, an interesting thing is occurring. Companies like Facebook, Google, Amazon, among others, have found a common cause in advocating that “Congress pass weaker federal privacy legislation that would overrule state laws.” (New York Times, September 24, 2019, Group Behind California Privacy Law Aims to Strengthen It).

While I reject the reason that these companies wish to see a federal privacy law, that being that it wouldn’t be as stringent as GDPR nor the CCPA in terms of providing privacy protections to those of us living in The U.S., I do see a strong rationale for a federal law. The European Union has shown us a path forward in terms of consumer privacy with GDPR. They view data privacy as a human right. A very good thing, and something that we in the U.S. should as well adopt. Our U.S. legislature should not rely on the states to define the basic rights that we all have to privacy in the digital age. This is too important, and too all-encompassing, to be done on a regional level where some states might provide for strong privacy protections while other states no so much.

It is time that the U.S., its legislature and regulators, steps up to providing its citizens with strong privacy protections in the age of Google and Facebook. We all should have knowledge of, and control over the use and disposition of, the personal information that companies collect on us. Shouldn’t each of us have the right to ask a company that we do business with to not sell our data? It just doesn’t seem like too much to ask. And while CCPA takes California residents a long way toward that, this really should be something that residents of all states can rely on. Therefore, it should be the responsibility of our federal government to enact legislation that isn’t watered down.