New Year, New US Data Privacy Regulations
California’s Consumer Privacy Law Takes Effect January 1
By Michael Moran
As Microshare CTO Tim Panagos and I predicted nearly two years ago, the first shots in the regulatory battle over privacy and personal data in the United States have been fired by the states, not by the federal government.
No, we’re not on the brink of civil war, but a genuine divide is opening up between the way activist states like California and New York view Big Tech’s interaction with our personal data and the way more libertarian states view it. And for better or worse, that division – like so many others in American society today – is perfectly mirrored in Congress.
First, let’s finish our victory lap. Back in 2018, Tim and I penned a white paper, IoT and GDPR, looking at the implications of the May 2018 introduction of the General Data Protection Regulation on the US tech sector, and on IoT in particular. In it we noted that “GDPR is unlikely to bring a quick US government legislative response, at least at the federal level. More likely, New York or California will develop as a lead jurisdiction, forcing companies to comply due to their market size just as GDPR is forcing non-EU companies to pay attention. “
Hooray for us. On January 1, 2020, the new California Consumer Protection Act (CCPA) will go into effect and have precisely the impact Tim and I predicted: wide-ranging for companies that garner or resell personal data derived from consumer interactions, and virtually no impact on far-sighted businesses like Microshare, whose IoT data solutions scrupulously avoid intersection with client mainframes or cloud architecture, and which anonymize any interaction with the public.
But for most of the technology world – not just the Googles, Apples and Facebooks of the world, but virtually anyone with a transactional website or a Mailchimp account – CCPA will matter. Unless you do no business with Californians, of course. But that’s unlikely. California is not only the largest internal market in the US, but if it were a nation, its $2.9 trillion 2018 GDP would make it the fifth largest economy in the world, slotting in right between Germany (No. 4) and the UK (No. 6). Just as the EU’s massive size meant no global firm could ignore GDPR, so too much US-based firms bow, however reluctantly, to Sacramento.
From GDPR to CCPA
So, let’s say you have already done an audit of your data privacy policies and your handling of third-party data for May 2018’s introduction of GDPR. Are you covered for CCPA?
Of course not. California’s state legislators, once incredibly pliant when it came to technology regulation due to the power of Silicon Valley lobbyists, have since 2016 joined the bandwagon of tech bashers – a vote-winning caravan in a largely Democratic state since the 2016 Facebook-Russia election fiasco.
As the state’s Department of Justice notes in an advisory published last year, “A business that complies with GDPR and is subject to CCPA may have additional obligations under CCPA.”
Here are a few of these variances:
- Data Inventories: GDPR requires companies to undergo a data inventory and mapping of data flows in furtherance of creating records to demonstrate compliance. CCPA requires additional mapping under different requirements.
- The Definition of Personal Data: GDPR requires companies to put in place processes to respond to individual requests for access to personal information and for erasure of that information. But the CCPA defines “personal data” somewhat differently than GDPR. As California’s DOJ puts it, “businesses may need to review and reconcile the different definitions of personal information and applicable rules on verification of consumer requests.”
- Data Disclosures: Like GDPR, CCPA requires companies to disclose specific business practices in a comprehensive privacy policy. Many California companies that operate commercial websites and online services must post a privacy policy under the California Online Privacy Protection Policy, or CalOPPA, and will need to update this policy for CCPA.
The bottom line: lots more work (and much higher fees) for your legal team – and that’s assuming neither the state regulatory body nor a consumer class action group sues you.
Okay, so you will review your privacy policies for compliance with CCPA. What’s the next hurdle?
Rumblings Back East
Eventually, we will see national data regulation come out of Congress. In November, Sen. Maria Cantwell, D-WA and the top Democrat on the Senate Commerce, Science and Transportation Committee, introduced a new privacy bill – Consumer Online Privacy Rights Act, – aimed at providing consumers with digital “Miranda rights” and impose tough penalties on companies that abuse consumer data. It has little chance of becoming law because Republicans object to some of the more burdensome requirements of the law on disclosure.
Nonetheless, there’s support in both US parties for legislation that would protect consumer privacy. Republicans, eager to find some compromise that would prevent a patchwork of state laws like the CCPA from being enforced, have made their own proposal. While dialing back some of the disclosure requirements of Cantwell’s bill, the Republican version is tougher in some ways on Big Tech than either Cantwell’s bill or the CCPA. It also includes so-called pre-emption of state laws and doesn’t include a private right of action for individual consumers. Or put in human language, it would make CCPA irrelevant.
The GOP bill, sponsored by the ranking minority member of Cantwell’s House committee, Sen. Roger Wicker of Mississippi, includes narrower yet more specific requirements on disclosure of corporate privacy policies and practices. It also requires an expressed opt-in consent from consumers before a company could collect or transfer their sensitive data, including many types of health and personal identification information. The Cantwell and CCPA versions really amount to no more than disclaimers.
Cameron Kerry, a fellow at the Brookings Institution think tank and former senior Obama administration official, told the Wall Street Journal that the Republican version has merit. He noted that while California’s law relies on consumers to opt out from the sale of personal information, “what we really need to be doing is putting the obligation on business. The Wicker bill does that.”
So far, the two sides remain far enough apart to make national data regulation in the United States unlikely, particularly in a political fraught presidential election year. How President Trump would react is hard to gauge since such regulation generally goes against the grain of his rhetoric, yet at the same time he’s made no secret of his disdain for Big Tech.
Big Technology firms seem to view these developments as inevitable given the anger generated in public by the abuses that have come to light lately that were enabled by the laisse faire regulatory approach that had been the rule since the Internet’s establishment in the 1990s.
“California is a good first step because it has some very important rights built in around user control,” Microsoft’s Chief Privacy Officer, Julie Brill, told The New York Times this week. “But too much of a burden has been placed on individuals. We need to ensure that companies share the burden to protect individual data in the United States.”
“That means things like requiring companies to assess the data that they have and to make sure that they’re adequately protecting it. It should include privacy by design. Good stewardship requirements should also include principles like data minimization.”
If all of this sounds like a brewing regulatory nightmare, there is an antidote. Microshare CEO Ron Rock and I proposed a far-reaching system for managing third party data rights in the hope that negative approaches (i.e., regulation that seeks to punish rather than a reform that actually solves the issue) might catch on.
But a new year is once again upon us, and hope springs eternal that a comprehensive solution that does not damage innovation will still emerge.
Michael Moran is Microshare’s Chief Sustainability Officer and Director of Communications.