California Privacy Law May Ripple Across US, Say Consumer Advocates, Others
A state privacy law is likely to have effects beyond California, said consumer privacy advocates and others Friday. Last week’s bipartisan enactment of AB-375 (see 1806280054) may encourage other states to write their own privacy laws, they said. Tech companies warned the law needs work and isn’t ready to be copied. The authors said changes are likely before the mandates take effect in January 2020.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“It’s very hard for companies to segment their customer base and give different rights and remedies to different people based on where they live in one United States of America,” said Consumer Watchdog President Jamie Court in an interview: It may be logistically possible, more so for larger companies, but “people in New York are not going to like that.” When the first few companies apply rules across the U.S., it will set a standard for others, he said. Rather than try to “geofence” California, companies probably will offer the state law’s protections across the nation, agreed Justin Brookman, Consumers Union director-consumer privacy and technology policy.
“Some will likely follow the California privacy law for everyone, just as some are applying the changes required by the GDPR to all users,” emailed Information Technology and Innovation Foundation Vice President Daniel Castro of EU's general data protection regulation. “But these decisions will likely be made on a case-by-case basis, as some businesses may find that either the compliance costs or the impact on revenue is too significant to deploy everywhere.” Data isn’t easily contained within state borders, blogged American Enterprise Institute visiting scholar Babette Boliek. “To comply with a California-specific law, some companies may find it administratively easier to extend the policy nationwide.”
The new law seems to regulate conduct of businesses outside the state’s physical borders, violating the Commerce Clause, argued American Legislative Exchange Council Communications and Technology Task Force Director Jonathon Hauenschild. “For the law to apply, according to the definition section, the business need only do ‘business in the State of California’ and meet one of three criteria,” the ALEC official said. “There will be businesses that have consumers in California, that meet the criteria, and which do not otherwise have a presence in the state.”
“It’s my strong belief that these new California rights will soon extend to the rest of the United States,” said Californians for Consumer Privacy Chairman Alastair Mactaggart, who pushed for the ballot initiative that led to the California law.
With California privacy law passage and recent GDPR implementation, “we may soon be approaching a tipping point on digital privacy, as Congress and Washington watch from the sidelines,” FTC Commissioner Rohit Chopra tweeted Friday.
States Watching
“California will be the first of many states to wade into this area, in response to consumer demands,” emailed Connecticut Consumer Counsel Elin Swanson Katz, member of a Connecticut working group that will make legislative recommendations about protecting consumer privacy. “I anticipate that Connecticut will see another data privacy bill in the next legislative session.”
Lawmakers in other states will follow California’s lead, predicted Common Sense CEO James Steyer. "We expect many additional states to follow." Common Sense plans to work “with lawmakers across the nation to ensure robust data privacy protections for all.” California historically has set the bar for other states, Court said.
Privacy bills probably will surface elsewhere, only having legs in Democrat-controlled states, said Hauenschild. But Castro pointed to 50 data breach laws as reason to consider 50 different privacy laws as “a real possibility.” Congress should intervene to prevent such a patchwork, he said. “This should be wakeup call to Congress that it needs to pass federal legislation that preempts all state privacy laws and regulations, guarantees consumers notice and choice, and allows Internet companies to structure their business models as they choose.”
Other states probably “will be lobbied strongly to keep [bills] in line with what California is offering,” CU's Brookman said. The California law likely adds momentum to federal privacy law talks, he said. “It's challenging to comply with 50 different state breach notification laws” and tougher to follow different state privacy laws, especially online, he said. Court doubted Congress will act because trying to pre-empt state privacy laws would be mid-term election “suicide” for members.
Not Finished
TechNet warned politicians outside California to take things slowly. “California legislature's work is far from finished and that this law remains a work in progress before it takes effect,” said CEO Linda Moore. “While this law adds a significant new layer of privacy protections for California consumers, even its authors have acknowledged it is far from perfect and will need revisions.”
“Circumstances of this bill are specific to California,” said Internet Association Vice President-State Government Affairs Robert Callahan, referring to the one-week turnaround on proposing and passing the bill to beat a deadline for withdrawing a ballot initiative. “Policymakers [should] work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create.”
“Many elements of the new legislation seem a bit mercurial, and the language is astonishingly imprecise,” emailed Hogan Lovells’ Mark Brennan, a privacy attorney for businesses. “If not fixed, a number [of] existing privacy-enhancing technologies and service approaches will be threatened, and consumers could ultimately end up worse off and their data more exposed to bad actors.” Some parts exceed GDPR requirements, which could hurt U.S. companies, he said.
The mostly good law lacks teeth and “introduces very troubling concepts into law,” said Brookman, who wrote the legislature Thursday. CU opposes a provision letting companies "charge higher prices to consumers who decline to have their information sold,” he said. “We are also troubled by the law’s ‘right to cure’ provision which would allow a business to avoid responsibility for breaking the law -- as long as it stops within 30 days of being caught.”
California lawmakers plan to review language giving a private right of action, Assembly Privacy and Consumer Protection Chair Ed Chau (D) said Thursday at a livestreamed news conference. “The attorney general may also have some issues that we need to fine-tune,” he said. “The intent is to sit down and work with stakeholders on what issues need to be resolved first.” Chau hopes to find fixes this year, he said.
Implementation is delayed but the law “will have immediate impact … just by virtue of its existence,” said Sen. Robert Hertzberg (D), another AB-375 sponsor. Companies probably will study the law and look for ways to comply immediately, before it takes effect, he said. “Standards will change.”
Industry is unlikely to acquiesce, said CW’s Court said: “Phase one is try to gut it in the next year and a half” before the law takes effect, and “phase two is sue.” Only after those tactics fail, he said, will companies plan implementation.