California’s privacy reforms can drive national legislation

Register now

California lawmakers recently passed amendments to its privacy law that fell far short of industry hopes, further uniting business leaders in pushing for federal privacy legislation.

Given the limited scope of the amendments to the California Consumer Privacy Act, businesses must sprint for compliance by the statute’s Jan. 1 effective date, with no expectation of relief. The CCPA’s demands add urgency to the parallel race for federal legislation to preempt California’s and other states’ laws.

There is unanimous agreement on the need for federal law, but all sides have to temper passion in favor of realistic compromise to get to the finish line. That includes accepting a federal privacy law that would not satisfy every (perhaps any) party’s ambitions, but would establish a unified national framework of privacy rights and principles.

The CCPA broadened consumer rights to know how their personal information is collected, used and shared. It also established new consumer rights to obtain copies of all their personal information; to demand deletion of it; to opt-out from the sale of their information; and to non-discrimination.

The recent amendments to the CCPA, pending the Governor’s signature, correct various errors in the law and provide breathing room on a few provisions. For example, one amendment provides a moratorium until 2021for employee-related data. Another clarifies that the exemption for “publicly available” information does not limit a business's use of that information solely to the same purpose that the government makes it publicly available.

Other amendments supported by the industry, such as attempts to limit the breadth of covered personal information or to allow businesses to collect and use data for loyalty programs or for targeted advertising, may be pursued again in 2020. But the vociferous, conflicting efforts of industry and privacy advocates guarantee that broad changes will continue to face extraordinary hurdles, and the CCPA framework will survive largely intact.

No business can afford to hang back given the CCPA’s Jan. 1 effective date. For most, implementation realities necessitate compliance with the CCPA’s requirements essentially nationwide, not solely in California.

Businesses that have tackled Europe’s General Data Protection Regulation have found that the CCPA is no mini-GDPR. It has broader application and different prescriptive requirements in many areas.

For financial institutions, the exemption for data covered by the Gramm-Leach-Bliley Act leaves significant swaths of data still subject to the CCPA’s general provisions, as well as exposure to private rights of action for any data breaches.

While the CCPA appears likely to set the U.S. standard until federal legislation is adopted, other states’ activities — like New York’s proposed imposition of a fiduciary duty for consumer data — could raise the bar further. Even absent more stringent requirements, the states’ differing flavors of privacy law will greatly complicate compliance efforts.

All sides are eager for adoption of a federal privacy law. But radically differing visions have prevented significant progress. For too long, federal authorities and industry advocates floundered in searching for a concrete framework.

Meanwhile, privacy advocates’ ambitious legislative attempts made little headway. This includes the proposed creation of a privacy and data protection agency similar to the Consumer Financial Protection Bureau, and the adoption of baseline federal privacy requirements that would allow states to set stricter standards.

Fifty-one of the country’s preeminent CEOs submitted to Congress Sept. 10 a Business Roundtable letter proposal for privacy legislation. The proposal takes a risk-based approach by imposing greater legal obligations while providing flexibility for organizations to apply greater protections for data and activities that present higher risk.

The proposal outlines a national framework that would preempt state and local laws and identifies the Federal Trade Commission as the appropriate regulatory authority. It also suggests that there should be no private rights of action, but state attorneys general should have enforcement authority.

This united push by industry leaders, coupled with Republicans’ interest in passing legislation before the next election, provide hope for action.

Yet progress will remain elusive if parties stay entrenched in their ideological positions or demand a detailed statutory framework. Ideology must be subsumed to practical reality in order to achieve consistent privacy protections for consumers nationwide.

The best hope for agreement is to develop a framework of key privacy rights and principles, while entrusting expert federal agencies to pursue data-based analysis and development of implementation requirements. The question remains whether advocates for action are ready to engage in a practical reality to achieve it.

For reprint and licensing requests for this article, click here.
Data privacy Data privacy rules Consumer banking GDPR Data breaches Cyber security