Of the many impacts Europe’s General Data Protection Regulation has had on the world, its requirement that countries outside the EU maintain adequate data protection standards in order to continue data exchange with EU nations is perhaps the most influential. As a direct result, we are seeing a wave of privacy legislation sweep the globe. When it comes to privacy, the world seems to have moved, but somehow the U.S. finds itself largely left behind, leaving states to fend for themselves, which could quickly become a patchwork of confusing requirements for business and the public to understand.
The major catalyst for consumer privacy obligations in the U.S. is Section 5 of the Federal Trade Commission Act, which prohibits companies from unfair and deceptive practices. This puts enforcement, in large part, on the shoulders of the Federal Trade Commission — a woefully underfunded agency that lacks the capacity to serve at its full potential. Plagued by a chronic lack of resources, the five commissioners approach a broad mission of protecting consumers and promoting competition through strategic enforcement — a very different mandate from its EU counterparts, which have a far narrower scope and are better funded and staffed (though many still assert they too are under-resourced). The FTC relies on its investigatory powers to enforce the U.S.’s various consumer protection laws and, and despite having a staff of more than 1,100 employees, only between 40 and 50 of them are dedicated to privacy matters.
With no federal privacy legislation and scant ability to hold companies accountable to existing privacy obligations, California took the initiative to enact the California Consumer Privacy Act, bringing tough privacy standards to businesses in an effort to protect its citizens’ online personal data. To take it a step further, voters went to the ballot box in November and approved Prop. 24, the California Privacy Rights Act of 2020. Modifying some obligations of the first act and introducing others, the 2020 Act’s real punch may turn out to be the establishment of the California Privacy Protection Agency.
The Agency will be the U.S.’ first dedicated privacy regulator. It will comprise a five-member board: the chairperson and one member of the board will be appointed by California’s Governor and the remaining three members will be appointed by the Attorney General, Senate Rules Committee and Speaker of the Assembly. Board members will come with expertise in areas such as privacy, technology and consumer rights.
With a projected budget of $10 million for FY2021, the agency is tasked with enforcing CCPA to start, and CPRA when it comes into force on Jan. 1, 2023. Given that the state’s fiscal budget begins July 1, the California Privacy Protection Agency will be able to tap these resources this summer, and it is expected to have 40-50 employees to help with enforcement matters.
What does all this mean for business?
While California has effectively changed individuals’ expectations for privacy, its legislation carries a huge impact for compliance efforts among businesses. But coupled with these complex business challenges, was the knowledge of the AG’s limited resources. California Attorney General Xavier Becerra told Reuters that his office would “look kindly” on those companies demonstrating an effort to comply. All this served to lessen the urgency to achieve full compliance by the July 1, 2020, enforcement deadline.
Then came CPRA, which expands obligations of the CCPA, including the right to know, the right to opt out of the sale of personal information, the right to deletion, and portability. It also introduces new requirements, including the right to correct, the right to limit sensitive personal information, the right to access information about automated decision making and the right to opt-out of such technology.
And, on top of that, it established an agency to enforce state privacy law with the same manpower the FTC devotes to privacy, setting the stage for real oversight over businesses’ privacy practices.
Tasked with taking over from the California Attorney General, the California Privacy Protection Agency’s sole focus on privacy will bring teeth to enforcing the requirements. The Agency triples penalties for violations regarding minors under the age of 16 from $2,500 to $7,500 and removes the 30-day cure period that CCPA offers businesses once they have been formally notified of an alleged violation.
The Potential for National Impact
California has taken it upon itself to regulate how companies maintain and protect people’s personal information with an extraterritorial law that puts businesses across the globe within its grasp. What’s more, the state is sending some tech savvy and very privacy-aware individuals to the White House.
Vice President Kamala Harris served as Attorney General (2011- 2017) for California and then senator for the state. As AG, Harris was very active in privacy, releasing guidelines and recommendations on issues from drafting privacy notices to cybersecurity, creating a tool for consumers to report CalOPPA violations, and most notably working to standardize and improve privacy protections in mobile apps. As a presidential candidate, Harris said in an interview with The New York Times that the American consumer needs to feel their privacy is intact. She said ensuring “consumers have the power to make decisions about what happens with their personal information and that it is not being made for them” is a first step to regulating big tech companies. Despite having a close relationship with Silicon Valley, privacy remains a priority for Harris.
Current California Attorney General, Xavier Becerra, has made a name for himself in the privacy community through his leadership with CCPA. Tasked with operationalizing enforcement, Becerra and his office have been busy since CCPA came on the scene drafting implementation regulations now on their fourth iteration. Last month, then President-elect Joe Biden tapped Becerra as the nominee for Secretary of Health and Human Services. Having Harris and Becerra, two leaders with a deep understanding of technology and experience with privacy, join the conversation in D.C. will certainly add depth to the ongoing debates surrounding federal privacy legislation.
California’s influence is palpable — whether it be with its groundbreaking legislation or its prominent politicians set to make the move into federal government. The state is leading the charge on privacy, now all D.C. has to do is follow.