CCPA, California Get It Wrong on Data Privacy
Data privacy is one of the defining public policy debates of the new decade. As other countries push data privacy regulation heralded as global standards, California is headed in the other direction with the rollout of the state’s Consumer Privacy Act, or the CCPA.
Unfortunately, the CCPA was not a consensus measure that came from years of policy negotiations with stakeholders. The reality is much more disappointing. In 2018, a wealthy California real-estate investor, Alastair McTaggart, threatened the California State Legislature, saying he would spend whatever it took to pass a ballot measure on data privacy, for which he spent millions to collect the signatures, if lawmakers didn’t act on data privacy. The ballot measure was modeled after Europe’s massive data privacy regulation, the General Data Protection Regulation or GDPR.
The GDPR gives European citizens more control of their personal data and threatens massive fines, up to four percent of a company’s global revenue or 20 million euros, depending on the severity. Europe’s GDPR has been recognized as a global standard since it applies to any company who has data on a European citizen.
Back when the CCPA was first passed in 2018, the California Office of the Attorney General estimated that initial business compliance costs would run around $55 billion.
The AG report further estimated that a business with 20 employees or less would likely have to spend $50,000 to meet the first stage of compliance. As if $50,000 for a small business is pocket change.
Stealing great public policy ideas is all fine and good, but the CCPA’s initial rollout has been ugly. Problems, problems, more problems, and technical amendments have plagued the enactment of data legislation. And just this month, the California Attorney General released an updated version of the proposed CCPA regulations.
Much smarter people than me have heavily criticized the new regulations. The National Law Review said that the uncertainties will continue. Others say there is still a way to go, with one legal analysis commenting, “On balance, these proposed revised regulations introduce some practical improvements, but still require a significant amount of consideration in interpreting broad language…” Comments to the attorney general are due this week, with final regulations set for later this summer.
Gary Kibel, partner at Davis & Gilbert, called the CCPA rollout the most disjointed process for such a significant legal development.
The wild card in all this comes full circle to the man who started this frantic race to data privacy. McTaggart, the real-estate developer who pushed CCPA in 2018, is pushing another ballot measure in 2020.
McTaggart had already launched the second ballot measure before the first version of the CCPA even took effect this year. One addition in the proposed CCPA “2.0” would be a five-member state agency that will enforce privacy protections. Because no new law is complete with a task force or new agency in California.
But the rush to pass CCPA in the state legislature and McTaggart’s eagerness ever since to go around the law he negotiated exposes a glaring problem: it’s a rushed mess. Negotiations and discussions for Europe’s GDPR began in 2011, with the regulation passed in 2016, with an enactment date of 2018. It took close to a decade to bring a data privacy framework together in Europe, setting up systems of reporting, fines, and accountability.
McTaggart could essentially blowup two years-worth of legislative, regulatory, and business input with another suite of regulations and provisions.
Europe’s GDPR had received similar criticism to California’s attempt at data privacy: vague regulations, excessive costs, and questions about jurisdiction around the globe. But GDPR’s implementation was measured in years, not months like CCPA in California.
Fredrick Lee recently wrote for TechCrunch, “Laws like CCPA and GDPR help set the groundwork for change, but they don’t address the broader issue: businesses feel entitled to people’s data even when it’s not part of their core product offering and have encoded that entitlement into their processes.”
According to the National Conference on State Legislatures, 24 states have considered legislation on data privacy in 2019 alone. Hopefully these other states won’t do what California did and rush such an important process.
As noted in the research paper “Is the Market for Digital Privacy a Failure” by Caleb Fuller from Grove City College, “The question has never been whether consumers value privacy at all but rather how strongly they value it. The question is not whether individuals prefer more privacy but rather how much of other goods individuals are willing to exchange for greater privacy.” The paper’s conclusion also argued that the government’s long-term failure of respecting data collection and consumer privacy.
We do need data privacy and protection, but California should go back to the drawing board instead of passing one-off fixes to such an important issue.
Evan Harris is the media relations and outreach manager at PRI.