California Doubles Down on Unworkable Data Privacy Law During Second COVID Shutdown – Pacific Research Institute

California Doubles Down on Unworkable Data Privacy Law During Second COVID Shutdown


Businesses were ordered to close. Schools were shuttered. People were told to stay home. Many believed that in a week or two life for the most part would return to normal and that COVID would be a bad memory.

Now, four months later, California has not just halted reopening but is reversing course. As people and businesses strained under the stress of emotional and economic turmoil, the state – without missing a beat – began to pile on new regulations. Unfortunately, people and innovation will pay the price.

The California Consumer Privacy Act, a massive consumer privacy regulation, was forced through the state legislature in 2018. The law was so problematic and ill-written that an enforcement date had to be set two years in the future so that whole paragraphs of ambiguous language could be addressed. The mechanisms for expanded policing and enforcement on the internet had to be determined. Unaffordable compliance costs for every website that can be viewed in California had to be considered as well.

That cost of compliance is estimated by the California Department of Finance to be roughly $55 billion, which would almost devour the combined revenue of California based Levi’s, Qualcomm and Hewlett Packard Enterprises. The crushing cost also happens to be roughly the same total as the 2020 budget shortfall state lawmakers and California Governor Gavin Newsom were forced to deal with following the outbreak of the coronavirus. The state budget deficit exploded, in part, because of efforts to help companies survive during the current crisis. Now, the state is putting unnecessary compliance costs onto businesses entering one of the worst economic climates in modern history.

Despite COVID, confusion and economic constriction, Xavier Becerra, Attorney General for California, decided to start enforcing the state’s new privacy law on July 1. This is despite the fact that even a couple of weeks earlier, companies could not be sure exactly how to comply as the actual rules were still in flux.

Consumer Reports was quick to dismiss any concern saying, “First of all, they knew this was coming,” but real businesses with real experience in operations have a different take. California Retailers Association President and CEO Rachel Michelin told the San Francisco Chronicle, ““We’re in a whole different ballgame. Nobody really knows what the right answers are. What can we do and not do?”

She explained that that many businesses will have to figure out how to handle health data about their employees and customers without clear guidance from the state.

Are privacy protections important? Of course. So much so that getting it right should be the priority, not just acting and taking credit. Doing it right includes asking whether this the right way to implement privacy laws, the right time to begin costly enforcement or even the right law in the first place.

The internet is an interstate network. Because of its reach, one state passing a law that targets the internet means the law will materially impact the entire country.

As a global web of servers, processors, computers wires and trunk lines, the internet is not in any one place. Political boundaries are irrelevant. Communications of any sort, whether email, storing or retrieving data, results in millions of data packets travelling over a web of technology to produce a coherent message. Those packets often do not even travel within national borders, much less in state lines.

A national solution is needed, and the California “model” is not it.  A successful privacy law would create a system grounded in consumer choice, with clear rules that consistently protect consumer data end to end while promoting competition and innovation in the online marketplace.

Consumers deserve laws that protect them, providing clear and understandable rules, so they are empowered to watch for signs that indicate a data breach or a scam. A confused and less vigilant populous will be increasingly prone to their data being collected and used inappropriately without the understanding that certain actions are wrong.

Consumers deserve a sound law. The economy generally and businesses specifically deserve the same and do not deserve one more regulatory blow even as the government orders many to close their doors once again.

Nothing contained in this blog is to be construed as necessarily reflecting the views of the Pacific Research Institute or as an attempt to thwart or aid the passage of any legislation.

Scroll to Top