If imitation really is the sincerest form of flattery, then the people behind California’s strict new data privacy law should feel pretty good about themselves right now. But even as more than a dozen states look to impose their own version of the law, the California Consumer Privacy Act (CCPA) itself is still hardly a settled matter.
According to Pam Greenberg of the National Conference of State Legislatures, which uses State Net bill tracking data, at least 15 states have active bills that impose comprehensive restrictions on the use of personal consumer data, “including name, online identifiers, email address, SSN, biometric information, passport number, etc.”
Approximately 20 more bills are pending in Congress. Most are based at last in part on the CCPA, which itself takes some elements from the European Union’s General Data Protection Regulation, the law many privacy experts consider the strictest and most expansive of its kind in the world. But even while the CCPA moves toward it’s July 1 enforcement date, the law is still being shaped into the final regulations that California Attorney General Xavier Becerra’s (D) office will be tasked with enforcing.
The AG’s office released its modified draft of those regulations in early February. W. Reece Hirsch, a partner and the co-leader of the privacy and cybersecurity practice of law firm Morgan Lewis, sees most of the changes as being fairly moderate.
“I don’t see any of these as representing radical changes,” he says. “These are more like fine tweeks that are responsive to the concerns of the business community.”
Among those changes is a clarification that the definition of “personal data” depends on how a regulated business “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
For most people that is just legalese, but Hirsch says the key takeaway is more in what the modifications do not offer: guidance on CCPA exemptions, enforcement actions or consumers’ private right of action (PRA) in connection with data breaches. Whether those show up in the new month or so when the final regulations are expected remains to be seen, but he doubts there will be major changes then either.
“I would think that if we were going to see large modifications, we would have seen them by now,” he says.
But having the California law still somewhat in flux has hardly discouraged other states from moving ahead with their own versions of the bill. Current measures are pending in Arizona, Connecticut, Hawaii, Illinois, Minnesota, New York, New Jersey and Wisconsin, among others.
Right now, most observers are most closely watching legislation moving quickly in the Washington Legislature, where a CCPA-like measure (SB 5376 2019) cleared the Senate last year on a 46-1 vote, only to die in the House. That bill’s author, Sen. Reuven Carlyle (D,) is also carrying this year’s proposal (SB 6281), which would grant Evergreen State residents five core data privacy rights, including the right to demand the deletion of personal data and the right to opt out of data processing. The Senate endorsed it on Feb 14.
The new bill has been hailed by privacy advocates like Michelle Richardson, Director of the Data and Privacy Project for the Center for Democracy and Technology in Washington D.C., as a big step up over last year’s bill, both in consumer protections and for placing the onus of responsibility on data collectors for keeping that information safe.
But Richardson and others are also quick to note what they see as the bill’s flaws, such as the lack of a private right of action (PRA) that allows individual citizens to sue companies that violate the law. It also prohibits local governments from adopting their own stronger privacy measures.
The bill’s House companion, HB 2742, allowed both the PRA and local control. Companies found guilty of privacy violations would have faced penalties of up to $50,000 per violation and up to $100,000 for each intentional violation. But that measure died in the House Committee on Innovation, Technology & Economic Development in mid-February, leaving privacy advocates frustrated.
“What we’re left with is a Senate bill that largely ignores the recommendations made by consumer advocacy groups, privacy organizations, and community organizations representing people of color, immigrant rights groups and LGBTQ communities,” says Jennifer Lee, Technology & Liberty Project Manager for the Washington state chapter of the American Civil Liberties Union.
Lee said having the PRA “is an access to justice issue, and this bill expressly prohibits equal access to justice.”
Richardson understands that frustration. She says it is a similar debate to what is going on with the many bills under consideration in Congress.
“We’re hoping that states can find an answer like what the feds are starting to talk about, which is a middle ground where you can sue over some things but not everything,” she says. “If you have 45 days to process an access request and it comes in on day 46. Should that be a lawsuit? Or do you want to be able to sue companies that don’t let you delete your data at all?”
Washington Rep. Shelley Kloba (D), who sponsored the failed House bill, is still hopeful that lawmakers will reconsider the PRA clause, although with the session ending on March 12 time is running out to make it happen. Kloba says there is a good reason for doing so.
“When we lay out these rights for people, you have to ask what are their opportunities for getting redress when those rights have been violated,” she says, adding that without citizens being able to take on their own civil suits, the entire burden falls to the office of state Attorney General Bob Ferguson (D). And that, she says, could be a very heavy lift.
“Whatever we put in place for enforcement, we will then have to fund,” she says. “And that has not been a point of discussion. The idea of creating these broad consumer protections but then not designating them as a per se CPA (Consumer Privacy Act) violation is going to make it difficult for them to enforce.”
Kloba believes it is possible they could try a gradual PRA roll-out that gives both consumers and businesses a chance to adapt to the law before empowering consumers to file civil litigation. But that is also not without risk. She worries that consumers will see passing the current bill as is as “solving everything,” thus lessening their willingness to support efforts to add a PRA later.
It is a concern Mary Stone Ross knows well. Ross, Associate Director of the Electronic Privacy Information Center, co-wrote the 2018 California ballot measure that drove Golden State lawmakers to develop the CCPA in the first place. That proposal, which had already qualified for the ballot, included both a PRA and local enforcement options. But lawmakers, who wanted to keep the measure off the ballot, convinced Alistair Mactaggart, the proposition’s lead sponsor, to pull it and to support their legislation (SB 375 2018), which had neither.
A bill (SB 561 2019) sponsored last year by California Sen. Hannah-Beth Jackson (D) that would have added PRA power to the CCPA died in committee. Citing a lack of support, Jackson told State Net Capitol Journal she has no current plans to try again.
Ross, who was then president of Californians for Consumer Privacy, was furious at Mactaggart for agreeing to lessen the bill’s enforcement options.
“Everything with this is about enforcement, and it was a really big deal to strip DA’s of that power,” she says.
She is also not enamored of a new ballot measure drive that Mactaggart has undertaken which would, among other things, create a new state agency to enforce the law. But Ross notes it would also widely broaden the current definition of “de-identified” information, which is not subject to the law, and double the number of customers a company collects data on before it comes under the law, from the current 50,000 to 100,000.
“This really is a wolf in sheep’s clothing,” she says.
Even so, she is encouraged that more states are looking to craft data privacy measures of their own.
“The more states that pass privacy bills, the better. I just hope they’re stronger than California’s,” she says.
For a free, sample report showing the current status of all the bills mentioned in this story click here.
-- By RICH EHISEN
Many States Considering Data Privacy Bills Like California’s
At least 15 states have introduced comprehensive consumer data privacy bills this session, according to Pam Greenberg of the National Conference of State Legislatures. The measures are similar to the California Consumer Privacy Act (AB 375) enacted in 2018, although some are more or less restrictive than the California law. All of the bills would apply to a broad range of personally identifying information, such as names, email addresses, social security numbers and biometric data.