The online privacy saga continues. The latest chapter: yet another round of proposed changes to the rules implementing the California Consumer Privacy Act (CCPA), an unprecedented and overreaching set of restrictions effectively imposed throughout the country by a single state.
Internet traffic is interstate. Rarely is it confined within the boundaries of any single state, even one that happens to be the largest by population, the fifth biggest economy in the world, and the home of many major online companies. Congress therefore is the appropriate legislative body to craft the privacy rules of the road for virtual interactions between consumers and businesses.In the absence of federal action, however, California's privacy law as a practical matter has filled the void, as many companies find it easier and more cost-effective to comply with the CCPA nationwide than to try to implement processes to identify who is covered and who is not. Of equal concern, efforts to implement the CCPA have led to uncertainty and confusion. As a result, compliance has been rendered unnecessarily and unreasonably more difficult and expensive.
As I have explained in a series of posts to the Free State Foundation blog and in a number of Perspectives from FSF Scholars, federal Internet privacy rules ideally should include the following:
- Consistent treatment of all rivals irrespective of outdated regulatory classifications
- A national approach that preempts state laws
- Exclusive enforcement by a single agency (that is, the FTC) and state attorneys general (in other words, no private right of action)
- A flexible, case-by-case approach to alleged violations rather than overly proscriptive ex ante rules
- An "opt-out" model with respect to non-sensitive personal information
- An acknowledgement that consumers do value ad-supported goods and services
Bipartisan efforts in Congress, in particular the Senate, have managed to find common ground on a number of these issues. Two, however, at present serve as insurmountable hurdles.
The first is state preemption. As I note above and addressed in detail in "California's Heavy-Handed Approach to Protecting Consumer Privacy: Exhibit A in the Case for Federal Preemption," an October 2019 Perspectives from FSF Scholars, a "patchwork" of state and local privacy laws is incompatible with the inherently interstate nature of the Internet.
Consumers expect a common set of rules to apply no matter where they, or the online businesses with which they transact, may be located. Similarly, it would be unreasonable to require online businesses to comply with different requirements based upon (potentially inconsistent) geographic criteria: a customer's real-time location, state of residence, Internet Protocol address, or some other consideration. Technical and administrative efforts to make such identifications would be an unjustified waste of substantial resources.
The second is a private right of action. Without question, as a general matter enforcement mechanisms serve an important purpose. They provide the teeth that motivate compliant behavior, prevent violators from profiting from their misdeeds, generate clarifying case law, and compensate those who have been harmed.
Particularly in the privacy context, however, a private right of action is ill-suited to the achievement of these goals. Individual privacy-related injuries often go undetected. When they do draw attention, the identity of the perpetrator may not be known. Actual damages, necessary for a case to proceed, can be difficult to calculate. And statutory damages often lead to the unintended and undesirable result where plaintiffs' attorneys recoup legal fees but their clients receive little, especially in the case of class actions.
Nevertheless, the fact remains that members of Congress at present are unable to achieve consensus on either of these issues. The passage of federal privacy legislation therefore appears unlikely at this time. In the meantime, online businesses are subject to the CCPA and its evolving implementing rules.
Drafted in only "a matter of days" and signed into law on June 28, 2018, the CCPA:
- Created new consumer privacy rights (the right to know what data businesses collect, the right to require businesses to delete data, the right to opt-out of the sale of information, and the right to non-discrimination for exercising these rights)
- Imposed substantial compliance obligations, including detailed notice and record-keeping requirements, upon businesses
- Authorized the California Attorney General to impose civil penalties for violations
- Established a private right of action qualified by a right to cure.
The CCPA also delegated to the California Attorney General's office responsibility for promulgating rules defining its precise scope. The devil is in the details, as they say, and until final rules were in place, businesses unavoidably lacked confidence in the adequacy of their compliance efforts. Unfortunately, Attorney General Xavier Becerra did not release initial draft rules until October 11, 2019, less than three months before the CCPA became effective on January 1, 2020.
Worse, the rulemaking process dragged on for months, beyond both the start of the new year, at which point businesses became subject to the provisions of the CCPA, and July 1, when enforcement of the statute itself began. After a great deal of administrative drama, the Office of Administrative Law (OAL) on an expedited basis approved final regulations on August 14. The rules became effective immediately.
Less than two months later, on October 12, AG Becerra proposed a third set of edits to those rules. As a result, businesses once again are faced with an uncertain future.
One such change relates to "do not sell my personal information" requests: businesses would be required to "provide notice by an offline method that facilitates consumers' awareness of their right to opt out." By way of example, notice could be given verbally during an interaction via phone or, if at a physical location, on paper forms used to collect personal information.
Another update would require that the methods by which businesses accept opt-out requests "be easy for consumers to execute and shall require minimal steps to allow the consumer to opt out. A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer's choice to opt out."
Comments on these proposed changes are due on or before October 28.
While perhaps relatively minor, the fact remains that these contemplated revisions would require businesses to expend additional resources to update their compliance programs.
The ink is not yet dry on the long-awaited "final" rules. The full extent of the COVID-19 pandemic's economic impact is unknowable. And the presence of the California Privacy Rights Act of 2020 (aka the CCPA version 2.0) on the November ballot threatens still more change and uncertainty.
Now is a particularly inopportune moment to impose additional burdens. But on the bright side, this most recent development out of California might serve as motivation for Congress to pass a federal privacy law.