In an October 2019 Perspectives, I argue that the California Consumer Privacy Act of 2018 (the "CCPA") violates sound principles of online consumer privacy regulation and threatens to reduce consumer welfare – and not just within that state's borders. Given the size of California's economy and the prominent role it plays in the tech and information services sectors, the harmful impact of the CCPA could be felt across the country, if not the world. It is therefore incumbent upon Congress to adopt a federal privacy law that preempts California's attempt to establish de facto rules of the road for the nationwide digital services marketplace.
A recent announcement by a major technology company highlights my concerns.
In , Julie Brill, Microsoft's Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer, announced that it "will extend CCPA’s core rights for people to control their data to all our customers in the U.S." Other companies undoubtedly will follow suit, for a number of reasons.
First, it may be more cost efficient to establish and maintain a single, national compliance program than one for the state of California and another for the rest of the country.
Second, consumers reasonably expect that a single set of online protections will apply regardless of where they, or the company with which they are transacting, happen to be.
Third, online traffic flows inherently are interstate in nature. By design, the route that an Internet Protocol data packet travels is influenced by real-time network congestion levels. Even between the same two end points, that path – and the state(s) that it passes through – can vary from one moment to the next. To the extent that targeted compliance requires the accurate identification of a consumer's location, companies may choose to apply the CCPA nationwide rather than risk a violation solely due to technical error.
A new federal privacy law could sidestep these issues – but only if it preempts state action. Not all lawmakers agree, however. In fact, two Democratic members of the House introduced legislation on November 5, 2019 that would make the situation far worse.
The Online Privacy Act, drafted by Silicon Valley Representatives Zoe Lofgren and Anna Eshoo, proposes its own highly proscriptive set of privacy rules. Among other things, it would: create consumer rights that are similar, but not identical, to those found in the CCPA; require companies to obtain explicit consent (i.e., "opt-in") before disclosing or selling personal information; prohibit the use of web traffic information as the basis for ads; create a new federal bureaucracy – the 1,600-employee-strong Digital Privacy Agency – rather than leverage the experience and expertise of the Federal Trade Commission; and establish a private right of action for individuals.
The most significant problem with the Online Privacy Act, however, is that it would impose requirements at the federal level – but would fail to preempt state laws. De facto regulation of the nationwide digital services marketplace pursuant to the California model would be bad. The "patchwork" that could result if other states enact their own laws would be worse. Worst of all, however, would be an additional layer of burdensome federal regulation on top of (likely inconsistent, and certainly problematic) state law(s).
The effective date of the CCPA is right around the corner. Absent congressional action, on January 1, 2020, California's ill-conceived approach as a practical matter may become the privacy law of the land. Those members of Congress who recognize the need for a coherent, nationwide approach to online privacy oversight should act promptly to preempt not just this inconsistent state law, but also rival proposals at the federal level that threaten to exacerbate the situation.