California’s New Privacy Law is No Model for the Nation
The fundamental problem of defining privacy is the same as defining obscenity. What is an outrage to one person is no big deal to another.
Justice Potter Stewart said it best in his concurrence in the landmark case on obscenity (Jacobellis v. Ohio): “I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description [of “hard-core pornography”], and perhaps I could never succeed in intelligibly doing so. But I know it when I see it.”
The same goes for most people when it comes to privacy. Most people feel they “know it when they see it” when something should be considered private, but that too is in the eye of the beholder. What one person sees as an invasion of privacy, another sees an example of great customer service. Sensitivity of protection of health records for some may be of higher concern than about their shopping habits being made public. Others are more concerned with what the government knows about them than what an online grocery store knows about their cereal choices.
Understanding “privacy” can be a daunting task. Crafting a law to protect consumer “privacy,” especially online privacy, is a challenge even under the best of circumstances. Unfortunately, California’s new privacy law hurts consumers in the Golden State and nationwide.
The process itself was enough to raise eyebrows. Seeking to avoid a ballot initiative, the California legislature passed the California Consumer Privacy Act after working on it for just one week. To be fair, the legislature was essentially forced to act by a San Francisco real estate developer with no expertise in privacy law or legislation. He used his millions to gather signatures for a privacy ballot initiative.
Recognizing that his proposed ballot measure was severely lacking — and how hard it is to amend initiatives once passed, the legislature chose to rush through an imperfect measure to avoid the ballot fight altogether.
Given the lack of time for vetting a very complicated measure, it’s no surprise that the new law has many problems. So bad was the proposal that the bill was passed with a 2020 implementation date, giving the legislature a chance to try to fix what it can. Much work must be done to make a California-only set of privacy rules a workable solution in a global economy.
For starters, the law is likely unconstitutional on free speech grounds. It includes whole paragraphs of ambiguous language, and subjects businesses small and large to compliance costs they likely cannot afford.
Worse, the law will apply to every website that can be viewed in California regardless of where a business is located. So, other states will now likely react with their own legislation, resulting in multiple, conflicting privacy laws of their own.
As the internet is one most obvious example of an interstate network, the notion that one state would pass a law that materially effects the entire country is challenging. As a global web of servers, processors, computers wires and trunk lines, the internet is not in any one place. Political boundaries are irrelevant. Communications of any sort, whether email, storing or retrieving data, results in millions of “data packets” traveling over a web of technology to produce a coherent message. Those packets often do not even travel within national borders, much less state lines.
A national privacy solution is needed, and the California “model” is not it. A successful privacy law will be one grounded in consumer choice, not one mired in litigation. We need clear rules that consistently protect consumer data end to end while promoting competition and innovation in the online marketplace.
Many states looking after our privacy means we do not have any. Consumers will have few signals to watch for indicating a data breach or a scam. The result will be a less vigilant population that is increasingly prone to their data being collected and used inappropriately without understanding that certain actions are wrong.
If we really want a sound law that protects all the people, other states should learn from California’s mistakes. Crafting sweeping policy changes are not the best way to create effective public policy, period.