Could California’s Data Privacy Law Be a Model for the Nation?

Under the law, which takes effect next year, web users can demand that a business tell them what personal information it is collecting about them and whether it is selling or sharing it, and if so to whom.

by Tal Kopan, San Francisco Chronicle / February 11, 2019

(TNS) — Lawmakers of both parties, advocates and business and tech industry lobbies all say this session of Congress may be the best chance in years to pass meaningful data privacy legislation.

That still might not be giving it the greatest odds.

There is widespread consensus that California lawmakers’ passage last year of a data privacy law, paired with a similar measure enacted by the European Union, has strongly motivated members of Congress to create a federal privacy protection regime. And the fall from grace of some of Silicon Valley’s biggest firms after scandals including the misuse of social media during the 2016 election has given advocates and lawmakers cover to take on tech giants.

Under California’s law, which takes effect next year, web users can demand that a business tell them what personal information it is collecting about them and whether it is selling or sharing it, and if so to whom. Consumers can also demand that a company delete their information. The law will allow people to sue companies whose negligence leads to breaches of personal data.

While some companies pushed for the bill, others whose business model relies on collecting and selling user data would like to see a federal law scale it back. Many businesses also want to avoid having to deal with a patchwork of state laws as well as the EU’s regulations, which include obtaining people’s “informed and unambiguous” consent for processing personal data, and requiring data collectors to report breaches.

Privacy advocates, meanwhile, are eager to seize the moment and pass a strong bill at the federal level, setting a minimum nationwide standard that would match or exceed California’s.

But even with the desire across the board to come to agreement, a number of sticking points — including how to deal with state laws like California’s — threaten to derail any effort. And when it comes to Congress, the safe bet is always on inaction.

Still, lawmakers working on the project as well as lobbyists and advocates see a real opportunity.

“I think that it’s one of the bipartisan, bicameral issues that can land on the president’s desk and should land on the president’s desk,” said Sen. Roger Wicker, R-Miss., who chairs the Senate Commerce Committee. “I think we can do it, and we need to do it. It’s an imperative.”

Wicker is working with fellow Republican Sen. Jerry Moran of Kansas and Democratic Sens. Brian Schatz of Hawaii and Richard Blumenthal of Connecticut to draft bipartisan legislation on the Senate side of the Capitol. By all accounts, the group is making substantive progress.

The path is less defined in the House, though Democrats are expected to pass something. Palo Alto Rep. Anna Eshoo, a member of the Energy and Commerce Committee, said she is working on draft legislation with a fellow Bay Area Democrat, Rep. Zoe Lofgren of San Jose, who is on the Judiciary Committee. Leading members of both panels are also expected to have a key role in crafting a bill.

Skeptics have reason to be pessimistic, beyond Congress’ perpetual difficulty in passing almost any legislation. Several years ago, as breaches of personal data became more common, Congress considered passing a bill requiring consumers and authorities to be notified of such events, as dozens of states were doing independently. In the end the effort failed, and every state passed its own law.

Several state attorneys general at a recent privacy conference in Washington predicted that the same thing could happen in the data privacy arena, with California’s new law ultimately serving as a model for other states. Vermont Attorney General T.J. Donovan is among those who doubt that federal lawmakers can agree on a unified approach.

“Until they do, you will have states act on this issue,” Donovan said. “I don’t think you’re going to see state (attorneys general) abdicate their responsibility to address their consumer protection responsibilities.”

Some experts, however, see more momentum for privacy legislation in Congress because of the issue’s existential nature to many companies. The handling of users’ data is essential to the fabric of most companies, from the way their websites are designed to the way a business model works. Complying with different state laws would be virtually impossible for companies that operate online, the industry fears, bringing them to the table for action.

Democrats and privacy advocates, though, want to ensure that the end result isn’t weakening states’ abilities to enact strong regulations.

“I’ve been involved in this over the 20 years when I was attorney general” of Connecticut, Blumenthal said. “When I did a bill on toy safety, the toy industry opposed it in our Legislature, then they opposed it in the court.” Eventually, they lost, he said.

“Then they got religion,” Blumenthal continued. “That’s what typically happens. An industry faces a patchwork of different state laws and goes to Congress to try to preempt them with a weaker measure. We’ve seen this movie before.”

There are several approaches being circulated in Washington for a federal privacy law. Privacy advocates want more responsibilities placed on companies than on consumers. That means banning some practices, including using data to discriminate against users, and giving people the right to sue over misuse. Consumers should own their data in most cases, advocates argue, which would include the right to delete it, change it or take it back.

Proposals from groups including the U.S. Chamber of Commerce and the Information Technology Industry Council would require companies to be more transparent about how they use data and collect consumers’ consent. The groups also argue that some uses of data may not require consent or disclosure, depending on the circumstances.

One of the major sticking points will be how to treat state laws. Republicans and industry representatives are pushing for anything Congress passes to override such measures. Democrats and privacy advocates say that’s acceptable only if the federal law is as strong as California’s.

“I don’t think that weakening a strong law should be the pathway in Congress,” Eshoo said at the recent privacy conference.

Her district includes several of the biggest companies in the tech industry. She said California’s law should be the model for Congress.

“There’s a saying: As California goes, so goes the nation,” Eshoo said. “Congress’ work should not be to chip away at what California did in its consumer protection law, but rather have it be instructive to us. And I think if we come up with something that’s strong, then we can avoid a 50-state patchwork of laws.”

Veterans of the California fight say they are not going to wait on Washington. Jim Steyer, founder and CEO of Common Sense Media, an advocacy group that seeks to help families navigate media and technology, called California’s privacy law a landmark bill that could be replicated in Congress.

He said lawmakers working on the issue are serious and that he has advised many of them. But he still doubts that anything can pass these days, much less strong legislation.

“The question is, can Washington overcome its dysfunctionality?” Steyer said. “We are skeptical as to whether or not Congress can get its act together, and our bottom-line position is if there is federal privacy legislation, it has to be stronger than the California privacy law.”

If it’s not, he said, then advocates will have no trouble focusing on the state level. “The entire tech industry is not going to agree with this, and some of the companies will spend hundreds of millions of dollars trying to water down the legislation, like Facebook and Google, maybe,” Steyer said.

San Francisco housing developer Alastair Mactaggart, who spearheaded a ballot effort that spurred the California bill, visited Washington last week to meet with key senators including Blumenthal, privacy hawks like Democratic Sens. Ron Wyden of Oregon and Ed Markey of Massachusetts, and Trump administration officials. He said repeated missteps by the tech industry, like the recent revelation that Facebook had created an app to collect personal data and was paying people, including teenagers, to use it, couldn’t offer “a better wind at my back.”

“The model’s there: California leads, the others follow,” Mactaggart said.

With Congress’ tendency toward inertia, it will be easy for either side of the debate to pull support if a bill becomes worse in its eyes than the status quo. Still, supporters of action hope that even debating and advancing ultimately unsuccessful legislation could amount to progress.

Wyden, who helped organize opposition to online anti-piracy bills that failed in 2012, isn’t ready to predict this will be the Congress that unites behind privacy legislation. But he’s not giving up hope, either.

“I don’t think the country is there yet on a tough privacy bill,” Wyden said. “But I sure think it’s coming.”

©2019 the San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.