California has led the way as state legislatures grapple with how to protect the vast amount of data citizens share online every day. In the absence of federal policy, a variety of tactics are being explored in states.
As Americans spend more time hopping from Zoom meetings to retail websites to news sites — especially during increased time at home due to the coronavirus — some are increasingly concerned about protecting their digital privacy and data. Lawmakers throughout the nation are responding by working to pass online privacy legislation on the state and federal levels. But controversy over who should enforce the laws, the definition of consumer information, and whether citizens should be able to sue companies in the event of a data breach or other violation are among the top issues holding up legislative efforts. And with lawmakers focused on pressing coronavirus impacts, legislative efforts on digital privacy are largely paused, experts say.
“There are a lot of proposals in many state legislatures,” said Hayley Tsukayama of the Electronic Frontier Foundation. “But with the coronavirus, many have reassessed their priorities about what’s moving and what’s not … and many [proposals] are not.”
Still, legislative movement is expected when the nation returns to some level of normalcy, and when it does, California will likely retain its reputation as a leader in the quest for online privacy with its California Consumer Privacy Act (CCPA), which went into effect on Jan. 1, 2020. Some states view it as a template for their own measures.
“California is definitely a standout in a lot of different ways. … It has set the standard and the bar that other states are following,” said Ashley Johnson, of the Internet Technology and Innovation Foundation (ITIF). The Golden State’s efforts have spurred action — or at least discussion — of the issue at the federal level. But whether a bipartisan compromise can be achieved remains to be seen.
Federal proposals
Two key bills are pending in the Senate Committee on Commerce, Science and Transportation — one from Committee Chairman Roger Wicker, R-Miss., and another from ranking member Maria Cantwell, D-Wash. The bills contain some similar provisions to California’s and some overlap, but differ in key areas. Wicker’s bill would override any state measure, and Cantwell’s would not. Cantwell’s also contains the controversial private right of action provision, which has been the sticking point in some state legislation. Wicker’s contains no such provision.
Johnson believes it is important that a federal bill override state measures so “every company in the U.S. knows what to expect,” rather than have to adapt to 50 different sets of rules. Her organization also does not support private right of action provisions. She said the CCPA’s provision granting private right of action in limited circumstances has kept proponents of the provision from compromising on the federal level in that regard.
“They have gotten their way in California,” she said, adding that her organization would rather see a federal law under which the Federal Trade Commission has jurisdiction in enforcing privacy and could fine a company that doesn’t don’t follow the law.
Tsukayama says private right of action is a provision her organization, EFF, believes is foundational to any good data protection measure.
California's way
The California Consumer Privacy Act of 2018 is multifaceted, granting consumers the right to ask a business to disclose the personal information it has collected about them as well as the source of the information and its business purpose. Consumers may request that the information be deleted by the business. The measure also allows consumers to opt out of a company’s sale of their information. The law went into effect Jan. 1, 2020, but the California Attorney General’s Office, as of early May, had not yet completed writing its implementing regulations and is expected to do so this month.
Johnson, of ITIF, says one of the most controversial aspects of the law is its private right of action provision, which allows consumers to sue a company that has collected their data if a data breach occurs. Johnson also believes the act “disincentivizes” data collection needed for emerging technologies such as artificial intelligence and the Internet of Things (IoT).
“We think it might stymie innovation in AI and IoT,” she said.
Tsukayama, of EFF, said one of her organization’s concerns about the CCPA is that it allows private right of action lawsuits only in limited circumstances involving data breaches. Her organization has proposed follow-up legislation allowing people to sue companies for every privacy violation, not just data breaches. In addition, EFF is concerned that the CCPA does not have strong enough enforcement provisions. Under the act, the state attorney general would bring suit in cases of violation. Tsukayama said the AG’s office has stated it can handle only two to three such cases per year.
“We run the risk of having these really grand-sounding pieces of legislation that sound like they do a lot, but when the rubber hits the road, there’s not enough resources there to make sure consumers get the protections that are in the laws,” said Tsukayama.
Daniel Castro of ITIF (and a Government Technology columnist) said he supports the CCPA’s provision of “notice to cure,” under which a company, if given notice of a violation, would then be advised to amend the violation within a set period of time.
“In a way, that idea can potentially mitigate a lot of concerns about lawsuits,” said Castro.
Castro said other states are looking to implement similar notice to cure provisions in their legislation.
California has recently enacted other privacy laws, including measures that require the AG’s office to make information from data brokers available on its website and a law pertaining to smart televisions that prohibits the recording of voices through voice recognition software.
