The country needs to pass federal privacy legislation to establish a national standard for individual rights. Today, too many state laws exist, creating confusion and duplication. We need to create a national standard that would apply to all businesses and organizations.
By not having a national standard, we miss the opportunity to establish a consistent comprehensive framework for privacy in the United States. Without a federal law states have passed their own laws. Today, California, Nevada and Maine have privacy laws, but many other states have bills working their way through legislatures. Many of these state efforts are based in part on the California Consumer Privacy Act (CCPA), which went into effect January 1, 2020.
The path to a formal privacy law in California took several years. In 2003, the state passed S.B. 1386, which requires any agency, person or business that does business in California to disclose any breach of security that resulted in personally identifiable information (PII) exposure. By 2018, California went from mandating breach reporting to regulating the processing and use of personal information. While July 2020 was the actual operational enforcement start for the CCPA, many are already looking to see what’s next.
CCPA was originally a grassroots ballot measure spearheaded by Alastair MacTaggart. Today, MacTaggart has joined with Californians for Consumer Privacy to push to make the law stronger. The updated proposal — the California Privacy Rights Act (CPRA) — will be on the ballot in the election this November. Here’s a snapshot of what may change, the proposed law:
- Creates a new sensitive personal information category with rights that let residents stop businesses from using such information, including health or financial data, or knowing and selling personal location without knowledge or consent.
- Triples CCPA fines for collecting and selling children’s private information. It would also require opt-in consent to sell to consumers under the age of 16. Children ages 14 to 16 can opt-in themselves, while children 13 and under need parental approval.
- Establishes a new state agency to protect privacy rights, the California Privacy Protection Agency.
The Electronic Frontier Foundation, as part of a coalition of privacy advocates, has filed comments about its concerns with the California Attorney General. The EFF says the existing CCPA doesn’t recognize Do Not Track practices (which lets users opt-out browser tracking), and further objects to the “removal” by the Attorney General of certain specific types of personal identifiers from the definition of personal information. Many are also concerned about the high costs associated with compliance with the CCPA as it stands today. An assessment conducted for the California Attorney General estimates the total cost of implementing the law at between $466 million and $16.5 billion dollars.
Akamai conducted a survey of 120 leaders about CCPA in May 2020 to develop a view on how the industry views CCPA. One question we asked was: “How do you think the government could strengthen existing legislation around CCPA and other US privacy laws?” The results were fairly evenly split: 57 percent said strengthen state laws; 49 percent checked creating a continued education program for data and local officials for data privacy compliance; another 49 percent said create a federal data privacy law; and 48 percent recommended creating a coalition of industry experts to continuously tweak and improve the law.
There are a number of groups trying to drive…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
