On Jan. 1, 2020, California will begin enforcement of a sweeping new privacy law. The law emerges as a national model, inspiring other states to adopt similar measures. But businesses — and tech companies in particular — express reservations about its requirements.
As Politico reports, the new law compels any company doing business in California, physically or virtually, to disclose what personally identifiable information it has collected about individual residents of the state upon request. California citizens have the power to ask companies and data brokers to stop selling their information or to delete it entirely.
The California Consumer Privacy Act was inspired by the European Union's General Data Protection Regulation, and it in turn inspired other states to act, CSO Online reports.
“Proposals to strengthen or weaken the act have stalled this year, in part over concerns about honoring the privacy deal brokered last summer that led to the law's passage,” Politico reports. Tech companies, including Google, spent hundreds of thousands of dollars in attempts to “tweak” the law, according to Politico, but the California state legislature has left it largely unaltered so far.
States Follow California Consumer Privacy Act Example
While the passage of California’s privacy law inspired other states to consider similar measures, only a few have acted to date. “Of the 24 states that considered data privacy legislation this year, only Illinois, Maine and Nevada enacted new laws,” reports the Herald & Review. Illinois passed a law to prevent insurers from “using genetic testing information to set health or accident insurance rates.”
Maine passed a privacy law targeting internet service providers, which will have to obtain consumer consent to "use, disclose, sell or permit access to" personally identifiable information, JD Supra reports. It goes into effect in July 2020.
Nevada passed a privacy law, set to go into effect Oct. 1 of this year, implementing strengthened consumer protections prior to the enforcement of the CCPA. “The Nevada law requires each operator to establish a designated address for consumers to submit requests to opt out of sales of their covered personal data that the operator has collected,” according to a Mayer Brown blog post.
“Though the Nevada law is narrowly focused on allowing consumers to opt out of the sale of personal information, its earlier effective date may challenge companies preparing for CCPA compliance to roll out an opt-out function even sooner, at least for those affected by the Nevada law,” the post adds.
New York weighed privacy legislation that many thought to be tougher than California’s law, but the bill died after the state legislature did not consider it over the summer. “The law would have applied to non-profits as well as for profits, and included a private right of action for data breaches of $10,000 per consumer,” the National Law Review reports.
“Unlike the EU’s laws, the CCPA exempts small businesses — those that collect data from under 50,000 consumers, make under $25 million annually, and earn less than 50 percent of their revenue from customer data,” notes Security Boulevard.
Tech Companies Seek Fewer Restrictions
In California and elsewhere, tech companies such as Google and Intel sought more freedom in their use of personally identifiable information than permitted by the CCPA data privacy restrictions.
TechNet, a technology trade group whose members include Google and Facebook, said after the law’s approval it was “critical that the business community, consumer groups, and the Legislature work together over the next 18 months to improve this law,” reports The Mercury News. The trade group continues to seek changes after legislative efforts to amend the bill failed.
TechNet Executive Director for California and the Southwest Courtney Jensen says “meaningful clarifications” are “still necessary to ensure businesses can comply with this new, extensive law, and consumers can still access the products and services they expect,” The Mercury News adds.
Tech companies sought exemptions to share consumer information with government agencies and to narrow the definition of "personal information" under the law, among other changes.
Some businesses have pushed for a national model that would preempt California’s law. “Intel, for example, has drafted its own proposed law. It has already been updated twice after comment and criticism from other businesses, experts and the public,” Security Boulevard notes. The Intel proposal emphasizes risk-benefit analysis instead of blanket data protection. “The goal seems to be to enable, rather than restrict, the use of customer data, but to do so in a secure and equitable way,” Security Boulevard adds.
As Mayer Brown notes in its blog post, variations in state law and repeated industry activity may eventually lead to a national U.S. law: “As additional states enact laws, and as those laws diverge, privacy and security compliance will become more fractured and complex. The proliferation of these laws may give further impetus to the need for federal privacy and security legislation so that companies can avoid the challenges raised by divergent privacy and security requirements throughout the United States.”