California’s new sweeping privacy law, the CaCPA (California Consumer Privacy Act), creates significant new rights for consumers and obligations for companies. Given California’s significance in the national economy, it is likely to have far-reaching effects and has prompted business groups to request the Federal Trade Commission to examine the potential impact of the California law.
Critics have claimed that the CaCPA creates a threat to the Internet economy and consumers’ access to digital-based information and services by placing onerous obligations on ecommerce providers. If other states follow suit, it could create a patchwork quilt of privacy obligations. Given the importance of the online business to the nation’s economy, federal legislators and regulators should consider a federal approach to privacy that properly balances individual privacy rights against the needs of the digital economy.
While states have a legitimate interest in protecting the rights of their citizens, there is a risk of inconsistent approaches. For example, the CaCPA has a very broad definition of personal information, including new categories such as browsing history, search history, and information regarding a consumer’s interaction with an Internet Website, application, or advertisement. Other states may adopt narrower definitions, which would mean that companies would have to treat such data in a different manner depending on the state of residence, potentially increasing the cost and burden of conducting ecommerce.
A federal law would eliminate such inconsistencies and create a uniform approach. This is important in ecommerce given the volume and interstate nature of most online and mobile transactions. It would enable companies to have a single approach to responding to data subject requests, rather than having to create a state-by-state approach (this was the stated goal of the General Data Protection Regulation for the European Union). It is also important for legislators to carefully consider the respective interests of consumers and businesses in crafting such legislation. One of the criticisms of the California law is that it was rushed and contained inconsistencies and ambiguities, which has already resulted in one amendment.
Does Congress have the will to adopt a federal privacy law? That remains to be seen. When states started adopting security breach disclosure laws over a decade ago, there were calls for federal legislation. However, Congress did not take action and the result has been that all 50 states have filled the void. Fortunately, these laws have been relatively consistent with each other, although there are variations that do increase the cost and burden of responding to security breaches. We must hope that until the federal government creates a uniform nationwide approach, the states take a reasoned and consistent approach.