Former Gov. Jerry Brown signed it almost a year ago, but it’s still unclear what California’s first-in-the-nation data privacy law will look like in practice.
The law was the first in the United States to attempt to define internet users’ rights over their personal data that companies often sell for marketing purposes. But ahead of the law’s Jan. 1, 2020, implementation date, the state is still grappling with the balance between consumer protection and a light regulatory approach that has allowed the tech sector to become a major part of the California economy.
“When it comes to tech in California, the balance is making sure we continue to have an environment that fosters creativity and innovation, while also at the same time fighting to have the proper amount of consumer protection and privacy that any of us … would want,” said Ian Calderon, the California Assembly majority leader. “That’s not always such an easy thing.”
The legislature passed the privacy bill just days before a deadline to move forward a ballot measure seeking similar rules. Lawmakers got involved partly because passage of the ballot measure would have blocked their future ability to legislate on the issue.
What resulted was a rushed product that even its author agrees needs some changes. The law is unclear on several issues, including definitions of what counts as personally identifiable information, what a household is, and whether employees should be counted as users.
Xavier Becerra, the state’s attorney general who will be tasked with rulemaking to enforce the law by midway through 2020, said he’s looking to craft comprehensive and precise regulations.
“There’s a lot of questions asked by sector and consumers about how we’ll interpret specific words,” he said. “A lot of this is giving precision to the language.”
Those types of items can be fixed with bills to “clean up” the law, said Assembly Democrat Ed Chau, the 2018 law’s sponsor and the chairman of the chamber’s privacy committee. Beyond those types of things, though, Chau said he doesn’t want to see the spirit of the law substantially changed. He would oppose efforts to weaken it and would want any bill to strengthen protections to win consensus before reaching his committee.
“The law may not be perfect, and that’s the reason why we’re cleaning up the law,” he said. “But it’s still a very fine product, as is, because we are giving consumers a lot of rights that they should be entitled to.”
More than cleanup
Despite Chau’s position, advocates for increased privacy protections and industry groups seeking major changes to the law have pushed legislation this year that would go beyond the kind of cleanup Chau envisioned. That process has put lawmakers in the position of mediating between the tech industry and consumer advocates.
The confusion plays out against a backdrop of federal inaction. Though both the U.S. Senate and House have held hearings about a potential federal privacy bill, neither has taken meaningful steps to advance one.
State lawmakers say little is lost by not having a federal standard. Calderon said California sets national and international standards on several issues and didn’t need a federal government standard on privacy.
Reuven Carlyle, a state senator in Washington from the Seattle area who chairs his chamber’s committee on privacy and wrote a data privacy bill based in part on the California law, said a federal approach might be ideal but is out of reach at the moment.
“We’re living in a time where the federal government is functionally impotent. In a beautiful, academic, idealistic world of ivory towers, yes, we want a meaningful federal policy, such as GDPR,” said Carlyle, a Democrat, referring to the European Union's broad General Data Protection Regulation. “But that is almost a dream world.”
Without federal action, it’s up to states to step in, Carlyle said.
That’s no problem for privacy advocates, who often view movement at the federal level as an effort to undermine stronger state standards.
Ed Mierzwinski, senior director of the federal consumer program at the U.S. Public Interest Research Group, said privacy rights in other sectors have started, and sometimes remained, at the state level.
“Good ideas come from the states,” he said. “And that’s why we need to preserve the right of the states to continue to come up with good ideas.”
If the federal government were to pass such a law, it should allow states to go above it, privacy advocates say. Chau, the California law’s author, made a similar plea.
“If they’re tempted or inclined to pass a federal law, they should use California as the baseline,” Chau said.
But the prospect of 50 separate state laws is exactly what the tech industry is eager to avoid.
“More problematic is the fear that every state will follow suit and pass a somewhat differing law,” said Kate Tummarello, policy manager for Engine, which advocates for technology entrepreneurship.
Privacy advocates dismiss concerns over a variety of state bills. Many policy areas — including other areas of privacy — are subject to different regulations in different states.
“States doing different things is hardly a new problem. It has existed for decades,” said Lee Tien, a senior staff attorney at the Electronic Frontier Foundation. “There are lots of laws that allow for local variation. States like California have outsized influence. This is kind of par for the course. This is the way the world is.”
But Tummarello said experience with the European Union’s GDPR showed that just the administrative costs — even if laws are substantially similar — can be a significant burden for smaller companies.
One such company dealing that issue is Patreon, a five-year-old company that that connects artists with those willing to financially support them.
Patreon’s business model is built on collecting a percentage of each donation. Data collection and sharing is not part of it, said Weston Dombroski, part of the legal team at Patreon. Still, in the eyes of the California law, the company is considered a data broker — same as Facebook and Google — because it hands off its users' data to third parties that help the company with things such as processing payments, he said.
Sitting in a meeting room in Patreon’s headquarters overlooking downtown San Francisco, Dombroski said each new law introduces a new cost for the company to reach compliance.
The irony is that Google and Facebook, the biggest targets of the law, have the resources to comply with it. That won’t be so easy smaller firms like Patreon, which would have to cut into its operations to cover the cost of compliance.
“So like cut away the actual thing your company does in order to better follow the regulations that weren’t intended for what your company does in the first place,” he said. “Not what we want to do.”