Over the last couple of years, several state legislatures have considered online privacy legislation. Most of these efforts failed, including in California, but the misguided effort was brought back by a San Francisco real estate developer, Alastair MacTaggart, with no expertise in privacy law or legislation. He spent his millions gathering enough signatures to force a ballot initiative.
Knowing that ballot initiative language can rarely be amended or changed, and recognizing the proposed ballot language was severely lacking, the legislature passed his law after a mere week of work on the issue. They believed it was better to pass the substandard language into law where at least they had the chance of amending it, instead of it being cemented in place via the ballot initiative process. And so, the legislature created the California Consumer Privacy Act (CCPA).
Mactaggart may have a good heart but seems to be woefully ignorant of good lawmaking. He recently said that his solution to the privacy challenge was to give all Americans the same rights as Californians. What he fails to understand is that also means all Americans would live under the same failings of the law without the benefit of their needs being represented. The California legislature is still promising to fix the myriad of problems, including continuing to allow employers to collect personnel information from employees, contractors, and applicants.
Sadly, the Golden State has placed its citizens’ privacy at greater jeopardy by moving forward with a poor bill and already adding more to it. Few state lawmakers are that interested in people from other states trying to “solve problems” for them. The California move increases the likelihood that a patchwork of state and local laws will result, confusing citizens and making compliance for companies all but impossible. In addition, the target is already moving as efforts are underway, not just to clean up the sloppy legislation, but to pile on more regulations before the current law has even been tried.
While some of the efforts failed, others are still moving forward. One example is legislation to force manufacturers of smart speakers to disengage the very technologies that make them “smart.” That is, manufacturers would have to design an opt-in system for the speaker to record, learn and respond to certain words. But the supposed problem the legislation seeks to address is already covered in existing law, making this effort both duplicative and confusing for consumers.
Smart speakers only record when “awoken” with a key word, and consumers can already change settings to delete the recorded files that make the speaker smart. Moreover, under the CCPA, consumers can force the deletion of personal information, and so manufacturers already need to secure recorded messages. In the end, the law will only limit the smarts of the speaker, making the technology less valuable and delivering less innovation to the consumer.
The reality is that political boundaries, such as state lines, are of little consequence to the internet, a truly interstate network. Interstate challenges require a federal solution.
Concern is growing that Washington, D.C. seems to lack the necessary urgency to act before the standard is put in place. No matter how messy the state attempts, they will continue without national action. Just this year, Hawaii, Maryland, Massachusetts, Mississippi, and New Mexico introduced broad invasive legislation that was somehow to fix so-called privacy problems. Three other states, New York, North Dakota, and Washington had proposed legislation to protect personal data.
A successful privacy law will be one that works, one within which business can effectively and efficiently operate, not one that is little more than a ban on particular business models. Such bans in turn limit consumer options and restrain their preferences, instead insinuating government control. Good law will be grounded in consumer choice, not one mired in litigation. It will produce a system with clear rules that consistently protect consumer data end to end, while promoting competition and innovation in the online marketplace.
Success will come from protecting consumers equally, requiring transparency in the use of consumer data, and setting clear up-front expectations, not a scheme resulting in a patchwork of multiple pop-up “privacy warnings.” This is the way to protect consumers and allow our companies to compete globally, keeping the way clear for innovation in California and all of America.
Bartlett Cleland is a senior fellow in tech and innovation at the Pacific Research Institute.