One word keeps getting mentioned amid a push for federal privacy legislation aimed at reining in how Facebook, Google, and Apple collect personal information about their users: California.
It came up repeatedly during a House Committee on Energy and Commerce hearing about privacy on Tuesday. And it came up again during a Senate Committee on Commerce, Science, and Transportation hearing about the same topic on Wednesday.
At both hearings, members questioned representatives from privacy advocacy groups, business organizations, and technology associations about their views about a potential privacy law. But driving much of the conversation was the California Consumer Protection Act, or CCPA, the first-ever state data privacy law that takes effect in 2020.
A federal law, in theory, would limit companies’ use of customer data and require businesses to give consumers more control over it. But despite the additional burden, the tech industry supports new rules—and they want them sooner rather than later.
The reason is that companies hope to override California’s tough privacy law and the potential for other states to create their own versions. In fact, some regulators worry that the push by tech companies for federal legislation is solely so that they can wriggle out of California’s requirements and any equally stringent rules elsewhere.
Sen. Richard Blumenthal (D-Conn.) had stern words for the business and technology association leaders who testified during Wednesday’s Senate hearing. He wants companies to actually embrace stiffer federal privacy rules rather than use it to avoid tougher state laws and as an excuse to ignore their many privacy missteps.
“The overwhelming evidence is they’re willing to look the other way,” he said.
California’s privacy law aims to give consumers more control over their data, allowing them see what information is being collected about them and how it’s being used. The law also lets consumers edit or delete data and prevent their information from being sold to other companies.
Since California’s law passed in June 2018, several other states have started drafting similar bills that, if passed, could create a patchwork of regulations. But the patchwork isn’t the only thing businesses are concerned about.
The California law also uses broad language in defining “personal information,” which companies fear could create confusion. In addition, a proposed amendment in California could make it easier for consumers rights to sue companies for unauthorized use of personal information.
Tech advocates worry that several of California’s provisions don’t actually help people protect their information, said Peter Blenkinsop, partner at Washington, D.C.-based law firm DrinkerBiddle. Instead, they just make it tougher for companies to do business. The industry hopes a federal law would remedy those issues and create one set of regulations for the entire nation.
“I don’t think there’s any question that’s the primary motivating factor,” Blenkinsop said.
Regardless, the trade associations claim most of their member companies, including Facebook and Google, want federal rules that would be “better” than California’s privacy law. At Wednesday’s Senate hearing, the Internet Association, The Software Alliance, 21st Century Privacy Coalition, and the Interactive Advertising Bureau agreed that California’s law should be used as the foundation for creating federal regulations—but with some tweaks.
The sense of urgency by companies for regulation recalls what happened in 2003, said Jay Cline, privacy leader at PwC U.S. In January of that year, California passed a state law to prevent advertisers from spamming personal email accounts. Eleven months later, and with support from the business community, according to Cline, Congress enacted a much looser federal law that preempted California’s regulations.
This time around, discussions of whether a new federal privacy law would override state laws are particularly contentious. Democrats are generally skeptical of new regulation that preempts what California has already passed, DrinkerBiddle’s Blenkinsop said. Meanwhile, Republicans would much rather have one federal law and nothing more.
“The issue of preemption is going to be very difficult for the parties to agree on,” Blenkinsop said. “So I’m skeptical.”
Laura Jehl, a partner at Washington, D.C.-based law firm BakerHostetler who attended part of Tuesday’s hearing, is more optimistic about a federal law passing—and passing quickly.
“I think that something will happen this year or in the first six months of next year,” she said. “What I heard was everyone kind of trying to play nicely … it was more, ‘Let’s find a way to work together.’”
