California’s new sweeping privacy law, the CaCPA (California Consumer Privacy Act), creates significant new rights for consumers and obligations for companies. Given California’s significance in the national economy, it is likely to have far-reaching effects and has prompted business groups to request the Federal Trade Commission to examine the potential impact of the California law.
Critics have claimed that the CaCPA creates a threat to the Internet economy and consumers’ access to digital-based information and services by placing onerous obligations on ecommerce providers. If other states follow suit, it could create a patchwork quilt of privacy obligations. Given the importance of the online business to the nation’s economy, federal legislators and regulators should consider a federal approach to privacy that properly balances individual privacy rights against the needs of the digital economy.
While states have a legitimate interest in protecting the rights of their citizens, there is a risk of inconsistent approaches. For example, the CaCPA has a very broad definition of personal information, including new categories such as browsing history, search history, and information regarding a consumer’s interaction with an Internet Website, application, or advertisement. Other states may adopt narrower definitions, which would mean that companies would have to treat such data in a different manner depending on the state of residence, potentially increasing the cost and burden of conducting ecommerce.
The CaCPA also gives consumers the right to restrict the sale of their information. The legislature did create carve-outs from this right; for example, the term “sale” does not include the transfer to a third party of the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business. This is provided that the information is used and shared consistently with the CaCPA in the same manner that it was represented prior to the sale (such as in an online privacy policy). But, what if another state takes a stricter view and requires consent to any form of sale? This could severely impact the ability of businesses to engage in mergers and acquisitions as this would mean that segments of the selling company’s databases might not be transferable.
A federal law would eliminate such inconsistencies and create a uniform approach. This is important in ecommerce given the volume and interstate nature of most online and mobile transactions. It would enable companies to have a single approach to responding to data subject requests, rather than having to create a state-by-state approach (this was the stated goal of the General Data Protection Regulation for the European Union). It is also important for legislators to carefully consider the respective interests of consumers and businesses in crafting such legislation. One of the criticisms of the California law is that it was rushed and contained inconsistencies and ambiguities, which has already resulted in one amendment.
Does Congress have the will to adopt a federal privacy law? That remains to be seen. When states started adopting security breach disclosure laws over a decade ago, there were calls for federal legislation. However, Congress did not take action and the result has been that all 50 states have filled the void. Fortunately, these laws have been relatively consistent with each other, although there are variations that do increase the cost and burden of responding to security breaches. We must hope that until the federal government creates a uniform nationwide approach, the states take a reasoned and consistent approach.