September 17 - Data Security
Sign-up today for your complimentary subscription to the State Net Capitol Journal to stay up-to-date on the latest news from America’s statehouses.
Editor: Rich Ehisen
Associate Editor: Korey Clark
Editorial Advisor: Lou Cannon
Contributing Editor: Mary Anne Peck
Graphic Design: Vanessa Perez Design
Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
State Net Sign-on Page
State Net Product Page
HomeSpotlight Story | Bird’s Eye View | Budget & Taxes | Politics & Leadership | Governors | Hot Issues | Once Around the Statehouse Lightly
Taking a cue from the European Union’s expansive new General Data Protection Regulation (GDPR), California lawmakers this June adopted the toughest and most complex data privacy regulations in the United States. Given the state’s history of driving national policy, the logical question is whether the California Consumer Privacy Act (CCPA) will inspire other states or even the federal government to impose strict new data privacy regulations of their own.
According to experts we spoke to, the answer is a definite...maybe.
“Over the years several California privacy statutes have been copied by other states. But they were mostly simple and straightforward,” says Kristen Mathews, a partner in the New York City-based Proskauer Rose LLP law firm and the head of its global Privacy & Cybersecurity Group. “This new California law is not simple. I don’t think it would be my first contender for a law that other states will copy.”
She’ll get no argument from David Zetoony, a partner with the St. Louis-based Bryan Cave Leighton Paisner LLP. Zetoony, head of the firm’s global data privacy and security practice, calls the law “misguided, dubious in value and not well thought out at all.”
To be sure, not everyone sees it that way. In a blog post shortly after the bill was signed on June 28th, Alan Friel and Nilou Massachi, privacy attorneys for Cleveland-based Baker Hostetler LLP, called it “a win for both industry and consumers.”
Meanwhile, in a statement released that same day, California Sen. Bill Dodd (D), one of the measure’s three authors, noted his hope that “other states will follow, ensuring privacy and safeguarding personal information in a way the federal government has so far been unwilling to do.”
That remains to be seen, but Zetoony says it really doesn’t matter if states follow suit or not, noting that California was the first state to adopt online privacy requirements for companies doing business there. Even though other states didn’t copy them, he says most large companies adopted those policies themselves, essentially spreading the power of the law across the country.
“This law may not get emulated quickly, but it doesn’t need to be to have a national impact,” he says.
As noted, the California Consumer Privacy Act borrows heavily from the EU’s GDPR statute. Zetoony says the California law in fact is “80 or 90 percent” modeled after the GDPR. Whether you think that is a good thing or bad likely depends on whether you are a consumer advocate or a big tech company that currently collects consumer data with almost unfettered access. But wherever you fall on the CCPA, everyone agrees it is a lot less demanding than its original incarnation, which was well on its way to going before voters as a ballot initiative.
Earlier this year, a group called Californians for Consumer Privacy sponsored a drive to put a version of the CCPA in front of voters in November. Although it collected over 600,000 signatures – far more than needed to get the measure on the ballot – the group said it would withdraw the proposal if lawmakers passed an acceptable privacy bill. That sparked a frenzied effort to get something through both chambers and to the governor before the June 28 cutoff date for removing the measure from the ballot. They made it with a just few hours to spare.
So what exactly does that measure (AB 375) do? The short answer is a lot.
A very good breakdown can be found here, but the basics are as follows: as of Jan 1 2020, consumers will be able to request that companies provide them with an accounting of the data they have collected on them and require the company to delete that information. Companies will have to notify consumers that they have the right to opt out of having their information sold, and businesses can’t retaliate or discriminate against a consumer who chooses that option. Consumers will further be allowed to take legal action against a company that violates these or other tenets of the law.
As noted by the Harvard Business Review, the statute establishes a fairly broad definition of personal information that includes a whole raft of personal identifiers, such as geolocation, biometric data, internet browsing history, psychometric data, and inferences a company might be able to make about the consumer from that data.
There are, however, some limitations on who the law applies to. Companies under the law must meet one of the following criteria: have annual gross revenues in excess of $25 million; process the information of 50,000 or more consumers; or derive at least 50 percent of their annual revenues from the sale of personal information.
The bill also gave the California Attorney General’s office the chore of drafting regulations and advising businesses about compliance with the new law. That drew the ire of AG Xavier Becerra (D), who in a letter to lawmakers complained that such a mandate comprised “unworkable obligations and serious operational challenges” for his office. He also questioned the legality of the new law’s civil penalties.
That led to more legislation – SB 1121, currently awaiting action from Gov. Jerry Brown (D) – that would, among several things, kill a requirement that someone suing over a data breach first notify the AG’s office. It would also delay enforcement of the law until six months after the attorney general publishes the new regulations and clarify that consumers can file suit under the law only if a data breach is caused by a company’s failure to implement reasonable security steps.
That is far less than some advertising and tech companies want. Internet Association – an industry trade group comprised of tech giants like Amazon, Google, Microsoft, Facebook and Uber – has made clear its intention to continue working to modify the law before it goes into effect in 2020. Several of those same companies are also lobbying the Trump administration to come up with a federal law that would override the Golden State measure.
In the meantime, however, companies around the nation that do business in California are girding up to comply with the new law. Zetoony believes that how ready they are when the calendar clicks over to 2020 will be determined in great part by the effort they have already been putting in to comply with the EU’s GDPR statute.
“A company that has been diligently preparing to comply with the GDPR should be in good position to comply with the California law,” he says. “Some companies stashed [GDPR compliance] on their ‘to do’ list because they didn’t think the law confronted them at the time. But if you’re starting from a dead stop, I think you’re going to find California’s timetable very aggressive.”
Mathews says that preparation is even more challenging because the ground is also still shifting under the California law.
“If you really had a full year to prepare, it would be enough,” she says. “But we don’t really have a year because while we know there will be more amendments, we don’t know what they will be. We don’t want to start implementing compliance programs without knowing what the final law will look like.”
Using the GDPR as a model for preparation purposes is a start, but hardly a foolproof one. The EU law has itself only been enforceable since May of this year, and as yet has been cited in no enforcement actions. Without that, there is no way to know if the law will hold up to legal challenges.
Amidst so much uncertainty, Zetoony argues that states looking for a model to follow cast their eyes not to California but to Ohio, where Gov. John Kasich (R) in August signed SB 220, aka the Ohio Data Protection Act.
That law, which has drawn far less national attention than the California statute, incentivizes Buckeye State companies that compile and transfer personal data to better protect that information by granting them safe harbor from litigation over breaches, but only if they have in place at least one of 10 specific industry-recognized cybersecurity frameworks designed to “protect the security and confidentiality of personal information; protect against anticipated threats or hazards to the security or integrity of personal information; and protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud.”
Ohio is the only state that utilizes the carrot rather than the stick in regard to data privacy. Zetoony hopes they are not the last.
“If states adopted the Ohio law,” he says,” it would create a real sea change by getting far more companies to invest far more money into their data security systems.”