Security Shredding and Storage - a shredding industry publication

Export Regulations Sweeping California Privacy Law Could Spark Federal Legislation

By P.J. Heller
The California Consumer Privacy Act, a sweeping new privacy law signed into law earlier this year by Gov. Jerry Brown, could prompt similar legislation by other states or move Congress to enact a tough nationwide consumer online privacy policy.

California‘s Assembly Bill 375, described as the most stringent in the nation, is scheduled to go into effect in 2020. In the meantime, amendments are expected (a so-called “clean-up” bill has already passed) and companies worldwide that meet certain requirements and that collect, use, disclose or receive personal information of California residents will be working to come into compliance.

The California bill was unanimously passed in the wake of major data breaches, including the Cambridge Analytica case that involved improper data collection from tens of millions of Facebook users and the Equifax breach that compromised the identity of more than 140 million people.

AB 375 was approved shortly after passage of the European Union’s General Data Protection Regulation (GDPR) that gives individuals control over their personal data. Both measures share some general features but concerns have been raised about how companies will meet the different compliance regulations and address varying privacy laws from state to state.

Rather than have the privacy measure put to California voters in a November 2018 ballot initiative, legislators scrambled to pass the state law in June to give consumers more control over how companies collect and manage their personal information. It includes provisions that allow consumers to see the actual data collected, the right to have that data deleted and the ability to opt out of having the information sold.

AB 375 “puts the focus on giving choice back to the consumer, a choice which is sorely needed,” said Alastair Mactaggart, chair of Californians for Consumer Privacy which led the privacy effort.

James P. Steyer, chief executive officer and founder of Common Sense Media, a major supporter of the measure, called passage of the bill a “huge win.”

“The personal information and private data of Americans are routinely collected and used without our knowledge, and our well-being, as well as the health of our democracy, have suffered as a result,” he said. “This is the right first step toward ensuring that Americans have strong data privacy protections.

“The state that pioneered the tech revolution is now, rightly, a pioneer in consumer privacy safeguards, and we expect many additional states to follow suit,” Steyer added.

He said AB 375 gives consumer privacy advocates a “blueprint for success.”

“We look forward to working together with lawmakers across the nation to ensure robust data privacy protections for all Americans,” Steyer said.

Not everyone was enamored with the California legislation.

Nicole Ozer, technology and civil liberties director for the ACLU of California, said the measure “utterly fails to provide the privacy protections the public has demanded and deserves. Nobody should be fooled to think AB 375 properly protects Californians’ privacy.

“This measure was hastily drafted and needs to be fixed,” Ozer said. “When that happens next year, effective privacy protections must be included that actually protect against rampant misuse of personal information, make sure that companies cannot retaliate against Californians who exercise their privacy rights, and ensure that Californians can actually enforce their personal privacy rights.”

Robert Callahan, vice president of state government affairs for the Internet Association, also criticized the measure.

“It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike,” Callahan said.

Others are looking to Congress to pass privacy legislation rather than having a possible hodgepodge of state regulations.

“While this law (AB 375) just covers California currently, large companies will soon have to offer similar rights to all Americans,” said Mactaggart, the chief proponent of the California Consumer Privacy Act. “How on earth are they going to tell a New Yorker or a Texan that what’s good for a California consumer is out of reach for another state’s residents? It’s time for these companies to provide transparency and choice to all consumers, and if Congress is considering a national law, then California’s must be the minimum standard.”

Thomas C. Donahue, president and chief executive officer of the U.S. Chamber of Commerce, said his organization is working on a legislative proposal for Congress “to prevent a patchwork of state rules that would pose a nightmare for businesses that operate across state lines. In today’s interconnected world, data know no boundaries and require a federal framework.

“The Chamber is not only concerned about a patchwork of state laws in our country, but a patchwork of international requirements that present similar challenges for businesses operating around the world,” Donahue added.

David F. Grimaldi, executive vice president at the Interactive Advertising Bureau, which represents more than 650 companies that account for the vast majority of online advertising sold in the United States, agreed that Congress needs to step up.

“A uniform federal privacy standard could provide clarity, market certainty, and add fuel to future innovation, while preserving the value and benefit that online advertising brings to the internet ecosystem,” he said.

Some of the largest tech companies, including Alphabet Inc.’s Google, have indicated they would support a federal bill that would take precedence over California’s privacy law.

After the Cambridge Analytica scandal, Facebook CEO Mark Zuckerburg told CNN, “I’m not sure we shouldn’t be regulated.”

More recently, Zuckerburg, Tim Cook, chief executive at Apple, and Google CEO Sundar Pichai, all expressed support for privacy legislation.

“It is time for the rest of the world, including my home country, to follow your lead,” Cook said in a keynote speech to an international conference in Brussels on data privacy. “We at Apple are in full support of a comprehensive federal privacy law in the United States.

“Our own information — from the every day to the deeply personal — is being weaponized against us with military efficiency,” Cook said. “This is surveillance. And these stockpiles of personal data serve only to enrich the companies that collect them. This should make us very uncomfortable. It should unsettle us.”

The Commerce Department reportedly was working this summer on a proposal to protect online privacy. It was expected to be released this fall.

"Through the White House National Economic Council, the Trump Administration aims to craft a consumer privacy protection policy that is the appropriate balance between privacy and prosperity,” Lindsay Walters, a White House spokesman said in a statement. “We look forward to working with Congress on a legislative solution consistent with our overarching policy.”

Cameron Kerry, former acting secretary in the Commerce Department during the Obama Administration and who led a task force that developed the Consumer Privacy Bill of Rights issued by the White House in 2012, said that document, which never went anywhere, could serve as a starting point for federal legislation.

“As policymakers consider how the rules might change, the Consumer Privacy Bill of Rights we developed in the Obama administration has taken on new life as a model,” Kerry wrote in an article published on the Brookings Institution website.

“One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value,” Obama said in the report Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. “It has been at the heart of our democracy from its inception, and we need it now more than ever.”

“The fundamental need for baseline privacy legislation in America is to ensure that individuals can trust that data about them will be used, stored, and shared in ways that are consistent with their interests and the circumstances in which it was collected,” Kerry said in the Brookings article. “This should hold regardless of how the data is collected, who receives it, or the uses it is put to. If it is personal data, it should have enduring protection.”

Mactaggart and Kerry both agreed that challenges remain to implementing a nationwide online privacy policy.

“There will certainly be a battle in the coming years, either in the California Legislature or in Congress, as companies seek to return to a world free of any limitations on what they can do with consumer’s personal information,” Mactaggart said.

“Trade-offs to get consistent federal rules that preempt some strong state laws and remedies will be difficult, but with a strong enough federal baseline, action can be achievable,” Kerry predicted.

Kerry added that while the EU‘s General Data Protection Regulation had “a lot of good in it . . . it is not the right model for America.”

Commerce Secretary Wilbur Ross also expressed concerns about the EU privacy regulation, saying it could hurt trade with the U.S.

“GDPR creates serious, unclear legal obligations for both private and public sector entities, including the US government,” Ross wrote in an op-ed in The Financial Times. “We do not have a clear understanding of what is required to comply. That could disrupt transatlantic cooperation on financial regulation, medical research, emergency management coordination, and important commerce.”

While California’s privacy legislation is somewhat similar to Europe’s General Data Protection Regulation rules, Mactaggart noted there are differences.

“The most obvious difference is in who is a covered entity: in Europe, all entities of any size are subject to GDPR, whereas CCPA only covers businesses with over $25 million in revenue, and data brokers selling large amounts of personal information,” he explained in written testimony to Congress. “The second big difference is in the European approach of requiring user consent before any processing can take place.”

Under GDPR, a corporation must obtain a consumer’s approval before collecting and processing his or her data. The California law gives consumers the right to know what personal information is being collected about them and to opt out of the sale of their personal data. People 16 years and under must give permission or opt in to allow the sale of their personal information.

Mactaggart said AB 375 “represents one step towards damming the flow of this river of information, from consumer towards giant, multinational corporation, and thence out to an entire ocean of companies the consumer has never heard of, and would never choose to do business with.

“The 5th largest economy in the world now has meaningful privacy protections for the first time in history,” he said. “We will not only defend the historic gains we’ve made this year, but will continue our work to expand these rights to all consumers.”

Member Login