Lawmakers See California Consumer Privacy Act As Basis for Federal Law
Lawmakers discussed the impact of California Consumer Privacy Act in a Senate Judiciary hearing on Tuesday.
Politicians seem keen on making a model out of the California Consumer Privacy Act, the groundbreaking comprehensive privacy law slated to go into effect next year.
In a Senate Judiciary hearing held on Tuesday, “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation,” the law drew strong support from lawmakers, including Senator Dianne Feinstein (D-Calif.) and Senator Richard Blumenthal (D-Conn.) who both suggested the law should be the standard, not the exception, when it comes to laying the groundwork for a federal data privacy bill going forward.
The CCPA, introduced last January and signed into law by California Governor Jerry Brown in June, would impose impose 77 provisions, so far untested, on enterprises; it would also impose statutory fines - up to $2,500 per violation and up to $7,500 per intentional violation - and create a private right of action.
Feinstein in particular on Tuesday said she wouldn't support a federal bill that weakens the CCPA. Blumenthal, similarly, said the bill should be the basis for a federal bill and added that the bipartisan bill he's working on with senators Jerry Moran (R-KS), Roger Wicker (R-MS) and Schatz (D-HI) would build off the CCPA.
The hearing, which also featured testimony from privacy lawyers with Google and Intel, along with representatives from DuckDuckGo, Mapbox, and the Californians for Consumer Privacy group, also reignited debate around opt-in versus opt-out consent, location tracking, and how big tech companies are monetizing user data.
A chunk of the hearing’s questions were lobbed at Will DeVries, Google's Senior Privacy Counsel, over the company's data tracking efforts.
Sen. Josh Hawley (R-Mo) asked DeVries whether Google's Android phones continue collecting data when they're turned off or if users have opted out of tracking. Chairman Lindsay Graham (R-SC), who presided over Tuesday’s hearing, continued further, prodding DeVries about how much Google makes through behavioral advertisements, ads, and other information it gleans from users' browsing history.
DeVries, for what it's worth, told the committee it only collects data from users who have opted out if it's needed to carry out the phone's basic functions.
During the hearing, some Senators, like Mazie Hirono (D-HI), argued in favor of opt-in consent, pointing out that users infrequently change their privacy settings. While Feinstein and Sen. Marsha Blackburn (R-TN) echoed those sentiments, senators Dick Durbin (D-IL), and Senator John Kennedy (R-La.) piled on, saying that few users actually read the notices - mostly because they're long and filled with legalese - and that should put the onus on tech companies to better inform users what they're signing up for when consenting to an opt-in requirement.
DeVries downplayed deploying opt-in universally, saying it could trigger a wave of notifications, a la last year's GDPR opt-in messages.
Tuesday’s hearing was the latest in a long line of hearings around the CCPA in comparison and contrast of its European counterpart, the General Data Protection Regulation.
A California State Senate Judiciary Committee Hearing, “The State of Data Privacy Protection: Exploring the California Consumer Privacy Act and its European Counterpart,” held earlier this month in Sacramento, took a closer look at the CCPA’s provisions and the challenges companies may face in order to comply with the deadline.
The law continues to go through changes as we march towards 2020. California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson proposed a new set of amendments to the CCPA last month, bills that would expand the private right of action - something that would allow Californians to bring a civil action for damages based on alleged violations, remove a requirement that the Attorney General’s Office provide businesses with legal counsel on compliance, and eradicated language in the bill that would have given a business 30 days to remediate a violation before enforcement.