Sure, California was the first state in the nation to pass a massive privacy bill, the California Consumer Privacy Act (CCPA). But how can California be a national leader if it is not willing to do the hard work to make sure that this law is realistic to implement? How can California claim to be protecting its residents if its flagship privacy law has provisions that run afoul of basic notions of privacy? The CCPA literally requires a business to provide all the specific pieces of information it has on any member of a household to any other member of the household that asks for it! Moreover, unlike the GDPR, the CCPA fails to ensure that businesses can adequately protect consumers against fraud and identity theft. These are just some of the problems that the business community has raised ad nauseum since the law passed. And due to problems like these, not one state has adopted the CCPA. Instead, other states have considered and rejected it.
Last year, when the CCPA passed in just one week, legislators assured the business community that there would be clean-up legislation; that there would be time to comb through the 10,000+ words of this complex law and make sure that it works. The business community was told to narrow our requests and to focus on our main priorities. We were told to work with privacy advocates and build consensus.
Well, we did our homework. All of it. Coming out of the assembly we had six bills – all of which had been narrowed significantly over the course of negotiations in the Assembly – and all but one of them passed the Assembly with near unanimous votes.
Despite this, a number of these bills were stalled in the Senate due to the influence of one Senator acting in lockstep with certain privacy groups that opposed the business community fixes – claiming they would “water down” the CCPA. But there seems to be something else at play here. These groups did not want an opt-out law. They wanted an opt-in law. They did not want enforcement by the Attorney General. They wanted enforcement by trial lawyers. (Side note, in privacy class actions, plaintiffs’ attorneys often name these same privacy advocacy groups as the recipients of cy pres awards – in fact, such awards are often a main source of funding for these organizations.)
Since these groups do not have to comply with the CCPA and since they weren’t thrilled with the compromise that resulted in it, it seems they may not really have a stake in whether the law works. It also seems that their opposition to our reasonable fixes may be more about holding out for the business community to agree to make the CCPA even more stringent. This is a tough pill to swallow as California is already requiring businesses of all sizes, across every industry to comply with the most robust privacy law in the country in a matter of months – and the regulations to offer guidance on crucial aspects of this law, like what constitutes a verifiable request, are not even complete. If these are the politics controlling the outcome here, it doesn’t reflect well on California’s ability to make this complex law work.
As we approach this last month of session, there are still serious flaws with the CCPA that must be fixed. There has been much talk about a possible end-of-session play. Against this backdrop, is that in the cards? It’s hard to say.