California's new privacy rights could come to your state, too
California passed its version of the GDPR, and now more states could copy the California Consumer Privacy Act.
Laura HautalaFormer Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
ExpertiseE-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking.Credentials
2022 Eddie Award for a single article in consumer technology
Nevada and Maine have already passed privacy laws, and at least 11 more states considered privacy bills. While they didn't pass in 2019, advocates have plans to submit more legislation in the coming year. In addition, five other states have tabled new privacy rules and instead created task forces that will study how to regulate data privacy.
As is often the case, California has set the agenda for state houses across the nation. With nearly 40 million residents, California and its frequently progressive legislature has been at the forefront of laws covering everything from plastic bag bans to animal welfare laws in recent years. Now, privacy is on the agenda.
Watch this: California's new privacy law: Everything you need to know
This didn't have to be the case. California is home to many high-powered tech companies that profit from consumer data. But there are also highly committed privacy advocates in the state, noted Mitchell Noordyke, an attorney who has tracked comprehensive privacy legislation in statehouses around the country.
"In the case of the CCPA," Noordyke said, "advocates rode a wave of public sentiment in favor of privacy protections to force through legislation otherwise opposed by industry."
That created a blueprint for other states to copy.
The California model
The California Consumer Privacy Act, known by the initials CCPA, starts by giving residents the right to learn what data companies have collected about them, to ask companies not sell that data and to request the data be deleted. The data can come from any source, including the internet, databases and paper forms.
The law defines personal information broadly, so everything from your browsing history to personal characteristics such as race and marital status are covered. The definition also includes biometric and location information.
Features of the California law are being repeated in other states' bills, though not always to the same extent. Nevada's new law, which went into effect in October, applies only to data collected from consumers through the internet. Maine's law, which passed in June, applies only to internet service providers.
Washington also considered a comprehensive law in 2019 that was in some ways tougher than California's. It included nonprofits, as well as businesses, and it took a more flexible approach to what could be considered personal information. It also required companies to justify their data collection by having user consent or another valid reason. The bill petered out at the end of the 2019 legislative year, but could be reintroduced in 2020.
Inspired by the European Union
California's law takes cues from the European Union, where the General Data Privacy Regulation went into effect two years ago. The
created a new framework for data privacy, forcing companies doing business in Europe to provide people with extensive rights tied to their personal information.
The GDPR created a sea change in thinking about privacy that legal observers say helped California and other states move forward with comprehensive privacy legislation. Businesses were already positioning themselves to comply with Europe's new strict standard. Why not in the most populous US state, too?
California's law, however, leaves out a few major components of the GDPR, such as requiring companies to have a valid reason for processing data and minimizing the amount of data they collect. Other state laws and bills are similarly pared down.
One federal law to rule them all
After CCPA passed, tech companies voiced concerns that they would soon end up with 50 different privacy laws to comply with. The companies, including Facebook and Google, said it would be better to have one federal law that covers the whole nation. Those demands could get louder.
"As more states follow California's lead and push forward with new privacy laws, we'll likely see increased pressure on the federal government to take a more proactive role in the privacy sphere," said Mary Race, a privacy attorney in California.
The Senate Commerce Committee held a hearing in December to discuss two potential frameworks, both of which seek to set a federal standard and designate regulators to enforce the law. Lawmakers expressed bipartisan support for privacy laws though no legislation has moved forward.
Still, several key aspects of a prospective law were up for debate at the hearing. The Republican framework, submitted by Sen. Roger Wicker of Mississippi, would preempt state data privacy laws, and would limit enforcement to the FTC. Sen. Maria Cantwell of Washington, who submitted the Democratic bill, has said she's considering letting consumers directly sue companies, and would not supersede state laws.
While federal law supersedes state law in general, many federal laws leave room for states to enact tougher requirements on top of the baseline set by US legislators.
December's Senate hearing was only the latest of several that have focused on data privacy since the Cambridge Analytica scandal brought Facebook and other tech companies under scrutiny in Congress. Unless federal lawmakers can move a bill to a vote, state laws will remain the law of the land.