Is California’s Data Privacy Law a Ticking Time Bomb for Business?

With the deadline for California Governor Gavin Newsom to sign or veto legislation fast approaching, one public policy issue that received little to no attention at the end of California’s legislative session is the state’s pending data privacy law.

In 2018, the California Consumer Privacy Act was made law when former Gov. Jerry Brown signed Assembly Bill 375 and Senate Bill 1121. The act mirrors the European Union’s data privacy regulation, a massive regulation aimed at protecting personal data and fining companies that fail to report data breaches or comply with regulations. Europe’s regulation, the General Data Privacy Regulation, went into effect in 2018.

Under the California Consumer Privacy Act, large companies or those selling data will be forced to share what personal information they have with consumers if asked. Consumers can request the information be deleted or prohibit it from being shared.

The California Consumer Privacy Act, or CCPA, follows the similar vein of Golden State public policy; be fast, be first, and fix any problems later. The Golden State often proudly trumpets itself for being first on major public policy issues that lead the nation.

While all 50 states have some form of security breach law on the books, the passage of California’s privacy act gave the state bragging rights for passing broad data privacy protections first.

An analysis of the California Consumer Privacy Act by the San Francisco Federal Reserve noted, “. . . GDPR’s focus is on when data collection itself is acceptable, outlining six permissible purposes, while the CCPA is focused on consumer rights after the collection has occurred.” GDPR is more about the accuracy of data and CCPA only applies to the transparency of data.

The California State Legislature hurried to pass it in 2018 due to the threat of a ballot measure on data privacy going before voters.

Like any piece of California legislation, nothing is set in stone. Lawmakers quickly passed SB 1121 in 2018 after passing the original bill to address serious concerns.

This year, more clean-up bills were passed. You can put good money on the California Legislature introducing and passing even more changes to the act once it goes into effect in 2020.

Federal regulations are in place to address consumer privacy in certain institutions: Gramm-Leach-Bliley Act related to finance, the well-known Health Insurance Portability and Availability Act relates to healthcare, and the Fair Crediting Reporting Act relating to consumer credit information, among others.

Not surprisingly, these federal regulations were enacted well before the modern digital landscape and there’s no one act that addresses data privacy. In general, the United State follows a sectoral approach, where regulations, legislation, and self-reporting are used for data protection. The United States Constitution does not include a specific right to privacy, but many states have added it to their constitutions. Europe, under its General Data Protection Regulation law, follows a unified data protection regulation directed by one policy.

The California Attorney General plays an active role in the California Consumer Privacy Act and is required by law to solicit public comments to craft the final regulations. Currently, the attorney general does maintain a security breach list for the public, but the pending law increases the attorney general’s regulatory role. It is expected that the attorney general will publish the final regulations this fall, giving companies a six-month grace period to comply.

Another interesting sidebar is that the California Attorney General was one of two attorney generals who did not sign on to the Google anti-trust investigation. One wonders if California’s data privacy law had any impact on that decision.

The final wrinkle for data privacy in California is another measure that could be placed before California voters on the November 2020 ballot. Guess who’s pushing that proposal? The original author for the California Consumer Privacy Act; Alastair Mactaggart. Mactaggart’s threat of a ballot measure in 2018 was the original impetus for the California Consumer Privacy Act.

An important question to ask is if California companies are ready for the new data privacy law? With less than two months to go, one would think most companies are putting the final touches on preparing, right?

A recent survey found quite the opposite.

ESET, an IT security company recently released a poll about business readiness for the California Consumer Privacy Act. The responses were bad.

Of the 625 business owners and executives polled, over 44 percent have never heard of the act, a third said they don’t know what to change to comply, and more than half have said they haven’t modified their behavior or processes to comply with Europe’s General Data Protection Regulation. More than 70 percent of those surveyed were small business owners with 25 or fewer.

A recent article by the Wall Street Journal detailed the incredible complexity businesses will face when the California Consumer Privacy Act goes into effect, including the investments needed to simply track consumer data. The article noted that one consultant cited that companies are prepared to spend as much as $100 million in order to comply with the law and maybe most importantly, many companies already in compliance with European regulations won’t have to do as much.

California made a legislative splash in 2019: passing AB 5 for gig economy workers, changes to wildfire planning and power outages, even allowing college athletes to get paid for endorsement deals [I’ll link to my Newsy interview selfishly!]. In Governor Newsom’s first term, they’ve pushed a hard-progressive agenda with little resistance.

Unfortunately, it seems like the importance and dangers about how to adopt the California Consumer Privacy Act has been pushed aside. Let’s hope that one of the big pieces of policy that wasn’t talked about at all won’t become a glaring problem for the state in 2020.

Evan Harris is the Media Relations and Outreach Manager for Pacific Research Institute. 

Nothing contained in this blog is to be construed as necessarily reflecting the views of the Pacific Research Institute or as an attempt to thwart or aid the passage of any legislation.

Scroll to Top