Californians Deserve Better Data Privacy Laws, Not More

“As California goes, so too does the rest of the nation.” It is true that this state has long sought to lead the way and set the “strongest law in the nation” in any number of categories. More and more, though, it seems that the broadest possible law gets passed, and then the next year legislation is brought to pass an even broader law on the same topic. For those entities that must comply with those laws, and want to comply with those laws, this is problematic for obvious reasons.

Take California’s approach to data privacy rights over the last several years, starting with the California Consumer Privacy Act of 2018 (CCPA). The ink on the Governor’s signature hardly had a chance to dry on that landmark comprehensive data privacy law before an influx of bills were introduced. From overhauling and changing heavily negotiated elements of the act to adding separate protections for specific types of information, industries, or technologies in the piecemeal approach to public policy that the CCPA moved away from, they just keep coming. This year has been no exception. To provide just two examples:

• SB 1172 (Pan, 2022) would, for the first time, amend the CPRA to address a single industry (businesses providing proctoring services in educational settings) and add a new private right of action.
• SB 1189 (Wieckowski, 2022) would create additional restrictions separate from the CPRA around the collection and use of a single type of personal information (biometric information) and add a sweeping private right of action that guarantees statutory damages even for technical violations, where no actual harm is shown.

It is an understatement to say these bills are unnecessary, if not premature given existing and forthcoming privacy rights under the CCPA and the voter-approved California Privacy Rights Act (CPRA). Premised on the idea that broader protections and stronger enforcement is needed given the unique sensitivity of the information involved, they ignore the fact that additional protections for sensitive personal information take effect under the CPRA on January 1, 2023, and enforcement does not begin until six months later. Meaning, it is too soon to identify any gaps in the law justifying the need for these bills. In contrast, there is no question that, if approved, they would create more confusion and complications for businesses that must effectuate the laws. And more opportunities to sue them for good faith errors.

All of this is to say: rights that cannot be properly implemented are of little benefit to anyone. At some point, this state may wish to seriously consider whether Californians and California businesses would all be better served by ensuring we have the strongest laws in practice, and not just the strongest laws “on the books.”

Ronak Daylami, Policy Advocate