Two years ago, the recently adopted California Consumer Privacy Act (CCPA) helped spark industry support for federal privacy legislation. After the passage of the CCPA, numerous companies and industry groups came out, for the first time, in favor of passing a federal privacy law—in part to preempt the CCPA before it became effective on January 1, 2020. But their efforts bumped up against reality. The 116th Congress has a very large California delegation, led by a Speaker of the House who defended the role of states as “policy innovators.” It quickly became evident that any preemptive federal privacy law would need to exceed CCPA rights to stand a chance at passing.
Cameron F. Kerry
Ann R. and Andrew H. Tisch Distinguished Visiting Fellow - Governance Studies, Center for Technology Innovation
Fellow - Center for Strategic and International Studies
Former Research Analyst - The Brookings Institution
Now, California voters have upped the ante. The state voted to pass the Proposition 24 ballot initiative on Election Day, which amends the CCPA with a more comprehensive privacy scheme: the California Privacy Rights Act, or CPRA. As a result, federal legislation will have further to go in the 117th Congress to equal or surpass the protections of California law—or else face opposition from Californians and privacy and consumer advocates.
How Proposition 24 raises the bar
Even though the original CCPA introduced landmark privacy protections, it came short of addressing fundamental problems with existing privacy regulation and practices. The statute gave California residents the rights to access and delete personal information held by businesses and opt out of the sale of data—which ultimately put the burden on people to become aware of and make their own privacy decisions. These provisions fell back on the existing model of notice-and-consent, instead of placing restrictions on how businesses collect and process the data.
Proposition 24 changes this paradigm. The CPRA imposes new requirements for businesses to protect personal information, including by “reasonably” minimizing data collection, limiting data retention, and protecting data security. It also strengthens accountability measures by requiring companies to conduct privacy risk assessments and cybersecurity audits, and regularly submit them to regulators. In addition, it supplements the individual rights in the CCPA with new notification requirements, clarifies that individuals have the right to opt out of both the “sale” and “sharing” of personal information, and adds protections for a new category of “sensitive data.”
How would a federal law top the CPRA?
Almost every federal privacy bill in the current Congress meets the general baseline established by the original CCPA, predominantly through the inclusion of individual privacy rights. But notably, two bills from Senate Commerce Chairman Roger Wicker (R-MS) and Ranking Member Maria Cantwell (D-WA) go distinctly beyond the CCPA by establishing boundaries for data collection, use, and sharing—and extending those obligations to third parties that receive personal information. Now that the CPRA has incorporated many of these same provisions, it will become more challenging for Congress to establish that federal bills like the SAFE DATA Act or COPRA provide equal or greater privacy protections. Nevertheless, there are still several areas where federal legislation can offer California residents tougher privacy standards—surpassing what is included in both the original and amended CCPA.
Private right of action: One of the most contentious debates centers around whether individuals should be able to bring legal actions under privacy laws. Earlier this year, a Washington State privacy bill foundered over the same issue. In order to reduce industry opposition in California, referendum leader Alastair Mactaggart acceded to a limited private right of action in both the CCPA and CPRA. The CCPA narrowly allows individuals to sue for cases of “unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information,” and requires potential plaintiffs to give businesses a 30-day notice and an opportunity to “cure” the issue. The CPRA does not significantly expand this provision, and only clarifies that the disclosure of an email address, combined with a security question or password that would expose access to an online account, constitutes a covered data breach and that businesses cannot “cure” a claim simply by implementing new security procedures following an incident.
MacTaggart’s pragmatism in this regard could serve as an example to stakeholders in the federal debate, but any passable federal privacy law—especially one with significant preemption—is likely to require a more robust private right of action. In a recent Brookings report, we (with John Morris and Nicol Turner Lee) suggested a middle-ground path that would allow individuals to seek remedies for harmful or offensive uses of personal information while limiting the potential for “nuisance” lawsuits. Likewise, in a man-bites-dog moment, Jerry Jones, the general counsel of LiveRamp, a data connectivity platform, wrote that “[FTC and state enforcement] build an effective foundation … but there will be situations where a person should have access to the judicial system to seek redress.”
Small businesses requirements: The CCPA has a significant across-the-board exemption: it does not apply to any organization that annually generates under $25 million, earns less than half of revenue from selling consumer data, and processes data from less than 50,000 entities. And although the CPRA alters the parameters of this exemption, it does not eliminate it. However, this approach leaves gaps in privacy protection since many notable privacy failures have come from small businesses.
In this light, a federal privacy law could substantially strengthen privacy standards by placing restrictions on all organizations. Here, Cantwell and Wicker take separate approaches: COPRA broadly exempts businesses that do not meet certain size or revenue requirements from all provisions of the bill, while the SAFE DATA Act only exempts them from certain ones. In our report, we generally suggest scaling business obligations according to the size and complexity of the covered entity, scope of covered data, and possible privacy risks, with some additional requirements or exemptions for large or small data holders. This would establish some baseline duties to protect privacy for all organizations, while avoiding an unmanageable burden for smaller businesses.
Algorithmic discrimination: The CCPA does not directly address algorithmic discrimination, although the CPRA does give individuals the right to opt out of automated decisionmaking. But, as we wrote in our report, algorithms and machine learning have the potential to use personal information in ways that could harm individuals. This becomes a civil rights issue if algorithms make decisions that could reduce opportunities for a group of people or otherwise violate existing federal or state anti-discrimination laws.
The Wicker and Cantwell bills both would fill in the gaps left by the CCPA and CPRA. The SAFE DATA Act provides for the FTC to refer information about potential violations of anti-discrimination laws to relevant agencies and calls on the FTC to issue algorithmic transparency reports and develop guidance on avoiding algorithmic discrimination. Meanwhile, COPRA requires businesses to conduct annual “algorithmic decision-making impact assessments” and stipulates that any violation of anti-discrimination laws is also a violation of the FTC Act. In our report, we suggest that companies should observe a “duty of care” against processing or transferring covered data in a manner that could violate existing anti-discrimination laws, in addition to the legislative provisions from Wicker and Cantwell. On this emerging privacy issue, a federal privacy law could go well beyond the CPRA by holding businesses responsible for showing that their algorithms do not have a disparate impact.
Finding a bipartisan path in the 117th Congress
Like its predecessor, the CPRA may renew industry focus on federal legislation that could preempt privacy laws from California—or any other state that may pass a new privacy statute. Although the CPRA does not come into full effect until January 1, 2023, it creates a new California Privacy Protection Agency that will begin operating in July 2021. This gives the 117th Congress a window to pass privacy legislation before the full effects of the CPRA appear.
The stakes will be higher on both sides. For Republicans, the CPRA increases the incentive to pass a preemptive federal privacy law; for Democrats, California’s stronger protections raises pressure to preserve state privacy laws. And so, as happened in the 116th Congress, privacy legislation could deadlock without strong compromise. Of course, the political situation will depend on the impact that Georgia’s upcoming run-off election will have on party control over the Senate. But there will be a new presidential administration in 2021—and Joe Biden is on record supporting comprehensive privacy legislation. The 2020 election has certainly not erased political polarization, but privacy legislation may be a subject on which Congress and the new administration can collaborate on a bipartisan basis.