The country needs to pass federal privacy legislation to establish a national standard for individual rights. Today, too many state laws exist, creating confusion and duplication. We need to create a national standard that would apply to all businesses and organizations.
By not having a national standard, we miss the opportunity to establish a consistent comprehensive framework for privacy in the United States. Without a federal law states have passed their own laws. Today, California, Nevada and Maine have privacy laws, but many other states have bills working their way through legislatures. Many of these state efforts are based in part on the California Consumer Privacy Act (CCPA), which went into effect January 1, 2020.
The path to a formal privacy law in California took several years. In 2003, the state passed S.B. 1386, which requires any agency, person or business that does business in California to disclose any breach of security that resulted in personally identifiable information (PII) exposure. By 2018, California went from mandating breach reporting to regulating the processing and use of personal information. While July 2020 was the actual operational enforcement start for the CCPA, many are already looking to see what’s next.
CCPA was originally a grassroots ballot measure spearheaded by Alastair MacTaggart. Today, MacTaggart has joined with Californians for Consumer Privacy to push to make the law stronger. The updated proposal -- the California Privacy Rights Act (CPRA) -- will be on the ballot in the election this November. Here’s a snapshot of what may change, the proposed law:
- Creates a new sensitive personal information category with rights that let residents stop businesses from using such information, including health or financial data, or knowing and selling personal location without knowledge or consent.
- Triples CCPA fines for collecting and selling children’s private information. It would also require opt-in consent to sell to consumers under the age of 16. Children ages 14 to 16 can opt-in themselves, while children 13 and under need parental approval.
- Establishes a new state agency to protect privacy rights, the California Privacy Protection Agency.
The Electronic Frontier Foundation, as part of a coalition of privacy advocates, has filed comments about its concerns with the California Attorney General. The EFF says the existing CCPA doesn’t recognize Do Not Track practices (which lets users opt-out browser tracking), and further objects to the “removal” by the Attorney General of certain specific types of personal identifiers from the definition of personal information. Many are also concerned about the high costs associated with compliance with the CCPA as it stands today. An assessment conducted for the California Attorney General estimates the total cost of implementing the law at between $466 million and $16.5 billion dollars.
Akamai conducted a survey of 120 leaders about CCPA in May 2020 to develop a view on how the industry views CCPA. One question we asked was: “How do you think the government could strengthen existing legislation around CCPA and other US privacy laws?” The results were fairly evenly split: 57 percent said strengthen state laws; 49 percent checked creating a continued education program for data and local officials for data privacy compliance; another 49 percent said create a federal data privacy law; and 48 percent recommended creating a coalition of industry experts to continuously tweak and improve the law.
There are a number of groups trying to drive different agendas for privacy laws/regulations. They are all trying to get the right balance of providing a positive experience and appropriate use. Personally, I want help picking what to watch or the next book to buy. I fully understand that the capabilities/applications I get for free are using my information to make money to deliver that service. However, I expect the company to store accurate information and use it in the way I intended.
In any event, the CCPA will likely serve as a model for other states, so many companies and other states are carefully watching how it develops. Sporadic state efforts have also generated increased support for national privacy legislation to avoid the compliance patchwork problem created by disparate laws. With the number of groups expressing concern about the existing CCPA, the uncertainty around the meaning of some of the language, and a ballot measure seeking to strengthen the law, we can expect that the CCPA will change and we’ll see continued activity around consumer privacy for many years.
CCPA has already provided insights that Congress can use to enhance a federal law. But federal privacy legislation needs to be tailored to suit a full range of business models, including B2B. For example, providers such as Akamai need to have the flexibility to use threat information from one customer to inform how we protect all other customers so we can provide increased resilience to cybersecurity threats.
In the past few years, we have unfortunately seen too many instances of companies not being the best custodians of their customers’ data and privacy. Federal privacy legislation would send a clear signal that the U.S. has committed to strong privacy rights and that companies should and can be held accountable for ensuring that the data they collect about their customers are only used as per the wishes of their customers and safeguarded accordingly. Finally, given the cross-border nature of the Internet, a consistent federal framework will deliver more comprehensive protection for all Americans.
Steve Winterfeld, Advisory CISO, Akamai Technologies
