Unlike Europe, with its recently implemented GDPR, the United States does not have a comprehensive law to regulate the collection and use of data. Certainly, a federal law in this realm, which primarily regulates the internet, is preferable to a piecemeal, state-by-state approach. Yet, as is often the case in these situations, California passed a law to fill the void: the California Consumer Privacy Act (“CCPA”).
Unfortunately, as most of you likely know, the CCPA was signed by Governor Brown less than one week after its language was made public. Of course, it was rushed through the legislative process in order to avoid an even worse ballot initiative drafted and funded by a real estate developer, Alastair MacTaggart.
Anyway, over the past few weeks, the U.S. Senate Committee on Commerce, Science, and Transportation has held informational hearings to discuss potential federal privacy legislation as well as to study the GDPR and the CCPA.
Mr. MacTaggart was invited to Capitol Hill to testify and, in an effort to sell his CCPA as a template for any federal law, he left out some key facts.
First, and most crucially, when asked which businesses must comply with the CCPA, he stated, “CCPA only covers businesses with over $25M in revenue, and data brokers selling large amounts of personal information.” He conveniently left out an incredibly broad category of businesses covered by the CCPA, many of them small to mid-sized: businesses collecting or sharing personal information of over 50,000 consumers, households, or devices in one year. This may sound like a high number at first blush, but it is not, given the CCPA’s broad definition of “personal information,” which includes, for example, IP addresses. If a company has an average of 137 unique visitors to its website per day over the course of one year, it could hit the 50,000 threshold.
He also described the CCPA as legislation largely without flaws that was crafted over “years” with bipartisan support. The reality is that numerous legislators – on both sides of the aisle – voted in favor of the CCPA in order to avoid the ballot initiative because such a detailed law, regulating a crucial component of our state’s economy belongs with the legislature so it can be amended in the future. Many legislators were unhappy with the one-week process that neither allowed for in depth hearings nor amendments to the 33-page bill. Despite the sugarcoating, the CCPA is riddled with errors that will result in serious, unintended consequences if not addressed.
Mr. MacTaggart decried a coordinated effort by “Big Tech,” to undermine the key provisions of the CCPA. The reality is that a large and diverse coalition of businesses ranging from wineries and movie studios to retail stores and hospitals has come together to propose amendments to the numerous flaws with the workability of the CCPA.
As just one example, the CCPA requires businesses to provide consumers with “specific pieces of information” the business has collected upon their request. That could include credit card numbers or birth dates – incredibly sensitive information the consumer already knows. Yet, the CCPA forbids a business from requiring any consumer to create an account so the business can verify the consumer requesting their data is who they claim to be. This runs counter to common sense principles of privacy.
Perhaps problems like this are why, after consideration of the details of the CCPA during its meeting last month, the Council of State Governments declined to include the CCPA in its 2019 publication of “Shared State Legislation,” as a model for other states to use for privacy legislation.
So, what is next for the CCPA? The business community will continue to push for crucial legislative fixes next year. Also, we intend to be involved in the AG’s regulatory process to ensure that business efforts to implement and comply with the CCPA can be as efficient and safe as possible. While federal legislation is preferable, we can’t hold our breath for a solution from Washington D.C. given the dysfunction there these days. The CCPA will soon be the law of the land here in California. We need to make sure it functions properly – both for consumers and businesses.