BEDFORD HILLS, Va. — The new data privacy law passed in California on June 28 is that state’s attempt to rectify the excesses revealed by Cambridge Analytica and other organizations lately in which consumer information was used, sold and frequently ravaged without consent. The California Consumer Privacy Act of 2018 imposes some requirements on companies in the state that dramatically change the way consumer information is handled.
The CCPA, is it’s becoming fondly known, closely follows the EU’s recently enacted GDPR (General Data Protection Regulation) in that it gives people access to the information that companies have stored, enables them to opt out of having their data shared and includes the EU’s concept of the right to be forgotten. The law also allows companies to compensate people for the sale of their data, and it provides for enforcement by the state attorney general.
As one might expect, the tech industry has vowed opposition to the new law–sort of. Facebook is already saying that it is in compliance. Other companies are suggesting that the new law might mean the end of the internet, perhaps a real inconvenience, or both. But in reality, it’s neither.
Not All That Different from GDPR
For most large tech companies, the differences between the CCPA and the GDPR are minor. Other than the parts of the GDPR that govern where data is stored, and the draconian penalties the GDPR places on noncompliance, a company that already complies with the GDPR should have no problems complying with the CCPA.
While the CCPA applies only to California citizens, its reach is far broader than that. First, companies of any size–the targets of the CCPA–operate in places beyond California, and it’s unlikely that they’ll have one set of procedures for Californians and another for everyone else. Second, it remains to be seen how this law will affect companies that aren’t located in California but do business there, although it’s probably safe to assume that the California’s AG will say that it does apply to them.
“California’s law will raise the bar significantly, and this won’t be the last time it’s raised as states seek to emulate the EU’s new General Data Protection Regulation (GDPR),” Robert Cattanach, a partner at the international law firm Dorsey & Whitney, who practices cybersecurity and data privacy law, said in a media advisory. “This measure is likely to increase litigation as more consumer rights are created and expanded. That said, it is a compromise. Had the initiative passed, it had the potential to create even more significant problems for businesses and tech companies.”
Patchwork of State Laws Could Become a Big Problem
Cattanach isn’t the only one who is predicting that the CCPA will have an impact on states. Unfortunately for the tech industry, it’s unlikely that those states will simply pass their own versions of California’s law. What’s much more likely to happen is that each U.S. jurisdiction will pass its own law with its own privacy provisions. To some extent those laws will follow what the EU and California have done, but local interests are certain to result in legislation that adds restrictions, reporting requirements or new consumer rights.
The result is going to be a patchwork of statewide laws with which each company doing business in those states must comply. What’s worse is that there will be independent reporting requirements, different enforcement methods and wildly different penalties for non-compliance.
Another way to describe that result is “chaos.” The tech industry will either have to start depending on location services so that it knows where each user’s data is during the course of each transaction, or it’s going to have to start excluding (wherever possible) states with regulations that it deems too onerous.
That in turn means that small states with strong privacy rules may find themselves without some services. After all, a small business without the resources to determine the rules in each state may well decide that the risk isn’t worth it. This is not unlike the situation those businesses are dealing with, now that the U.S. Supreme Court has said that states and localities can demand sales tax from ecommerce companies.
New Cottage IT Industry Around Regulation Services Could Arise
While there will potentially be a service that will be able to help those companies determine jurisdictional rules–and do it automatically–it seems unlikely that smaller companies will want to add this cost to their bottom line.
But there is an alternative. The U.S. Congress could show some leadership and produce privacy legislation that applies to the entire nation and preempts state privacy rules. Assuming that such legislation is at least compatible with the GDPR, companies in the U.S. would be able to comply. There may be a set of rules for the U.S. and another for the EU, but if they have basically the same requirements, it would be possible for businesses to comply.
The problem, unfortunately, is that Congress has shown no indication to act. There’s been discussion of a U.S. privacy law for years now, and following the GDPR and Cambridge Analytica, that talk has seemed more urgent, but there’s a great distance between talk and action.
Enactment is Still Two Years Away, So Anything Can Happen
If there’s a saving grace to the CCPA, it’s that the law doesn’t take effect for two years. This means that there’s a possibility that Congress can focus on some national legislation that is badly needed by the tech industry and other businesses where ecommerce has changed everything. A privacy law is just one part of that; so is some sort of national sales tax law. There will be others.
But the other choice is to let tech companies become overwhelmed in a sea of conflicting regulations, so that only the largest companies survive.