When the Legislature passed the California Consumer Privacy Act last year, it touched a match to a tinderbox of concerns about how much of our personal information is outside the protection of federal laws. Now companies of all kinds are lining up to support federal data-privacy rules — so long as those would preempt the CCPA and any similar state privacy laws.
That upsets some privacy advocates and California representatives in Congress, who are threatening to take a hard-and-fast position that the CCPA must be insulated. “California’s law is best,” said Rep. Jackie Speier (D-Hillsborough), “why would we want to preempt it?”
As the first state law to regulate online privacy (it’s set to go into effect in January) and with that law coming from the nation’s most populous state, the CCPA will have widespread impact. But as a model for meeting the challenges of today’s data explosion, it falls short of setting the gold standard. The right federal law can provide broader and stronger protection.
Central to the CCPA are a “right to know” what information businesses collect about you and whether it is shared or sold, and a “right to opt out” from the sale of personal information. These elements increase individual control over personal data, but this exclusive focus on control is squarely in line with legacy laws and regulations that rest on faith in consumers making choices to protect their individual privacy.
The effectiveness of this approach is becoming a mirage as the amount and pace of data collection keeps expanding. As Michelle Richardson of the advocacy group Center for Democracy and Technology explained in a recent Senate hearing, “Existing privacy regimes including … CCPA rely too heavily on the concept of notice and consent, placing an untenable burden on consumers and failing to rein in harmful data practices.” Privacy experts widely believe that the law needs to shift the burden away from individuals and onto the businesses that collect personal information.
If members of Congress pay attention to such testimony, they can protect personal information regardless of what choices the individuals make as they deal with today’s digitized world. Federal law can do much better than the CCPA by requiring that business collect, use and share personal information in ways that protect the interests of the individuals affected.
CCPA supporters want to keep other newly established consumer rights. In particular, under the state law, Californians have the right to access data about themselves, to correct this data, to have it deleted and to take it to another provider. These are important tools — but they are likely to be included in any federal law; even the staunchest pro-business lobbyists, such as the U.S. Chamber of Commerce and the Business Roundtable, support including such rights in a federal privacy bill.
The CCPA does include an individual right to sue companies, something Congress is unlikely to adopt. As currently framed, this right is limited to data breaches and not to other privacy violations, though that may change as the Legislature amends the law this year.
Amendments would have to go a long way to fill the significant gaps left by the CCPA’s focus on individual choice. A federal law can improve on the CCPA by placing boundaries on how businesses collect personal information in the first place and regulating its uses and practices beyond just ad tracking or sale of personal information. Only Congress has the power to regulate interstate commerce and apply these protections, as well as those in the CCPA, to people and businesses across the country.
When the European Union adopted its privacy laws — the General Data Protection Regulation — it did so not only to raise the bar for personal-data privacy and security, but also to set the bar at a consistent level across all the member states and raise global competitiveness. But the EU law relies on agencies in each member state for enforcement. A federal law that authorizes the Federal Trade Commission and state attorneys general to enforce it would give the United States the strongest privacy enforcement regime in the world.
Privacy advocates and the California congressional delegation should not assume that legislation preempting the CCPA and other state laws will diminish protection. A strong federal law could accomplish more than merely streamlining a patchwork of state laws. It could give all Americans a basis to trust that all personal information will be handled in ways consistent with their interests.
Cameron F. Kerry is a distinguished visiting fellow at the Brookings Institution. He previously served as general counsel and acting secretary of the U.S. Department of Commerce. Twitter: @Cam_Kerry