The California Consumer Privacy Act (“CCPA”) has been lauded as a “huge step forward” that could set a standard for other states and the federal government that enact increasingly robust data privacy legislation. Indeed, some federal lawmakers view the law so favorably that they do not want future federal legislation to replace it. In the words of Rep. Jackie Speier (D-Calif.) to Politico: “California’s bill is the best. Why would we want to preempt it?”
However, as Congress continues to consider what a federal data privacy law might look like, data privacy advocates are warning that the CCPA presents a less than ideal model. As the Privacy & Data Director at the Center for Democracy & Technology, Michelle Richardson, explained in her testimony before the Senate Judiciary Committee, the CCPA is too burdensome: Not for businesses, but for consumers.
The CCPA revolves around a series of rights granted to consumers. Those rights allow consumers to: (i) know about what personal information a business has collected about them; (ii) access said personal information; (iii) have the business delete their personal information; and (iv) opt-out from the sale of their personal information. To give these rights meaning, the CCPA requires businesses to disclose these various rights to the consumer. And the law requires businesses to inform consumers, at or before the point of collection, about “the categories of personal information to be collected and the purposes for which the . . . personal information shall be used.” (Cal. Civ. Code § 1798.100.)
As a useful point of comparison, the GDPR creates a similar individual-rights regime, but couples its grant of individual rights with a series of accountability mechanisms designed to “encourage companies to embrace data minimization and purpose specification when they use data.” That is, independent of consumers’ rights to access and control their data, companies under the GDPR are required to use only as much personal information as is necessary for their specified business purposes.
The CCPA lacks this component. Richardson described how the CCPA gives businesses “basically unlimited rights to use personal information for businesses purposes,” and has “no actual restrictions on data collection.” The result is a significant burden on consumers. If businesses are free to collect and use personal information without restriction, then it falls on consumers to manage their data. This aspect of the CCPA represents as a practical matter little change from the current status quo. To be sure, the individual rights granted by the CCPA do give consumers a tool to manage their data, but given the amount of data collected in today’s digitized world, the tool may not be powerful enough for the job. “It is one thing to ask an individual to manage the privacy settings on their mobile phone; it is another to tell them they must do the same management for each application, social network, and connected device they use.”
How and how much the CCPA burdens businesses are topics of considerable debate that have garnered much attention. Fortunately, now the law’s burden on consumers is getting an airing. California’s bill may be “the best,” but consumer advocates and businesses seem to agree that even the best things can use improvement. Whether federal lawmakers will agree remains to be seen.