The frustration of California lawmakers that led to the passage of the state’s consumer data privacy law last year is entirely understandable. How could the states not be dissatisfied when it comes to the lack of federal action to protect consumers online? And the requirements of that soon-to-be-implemented law may tighten even further due to a new privacy-focused ballot measure in California for November 2020.
A broad national consensus exists around internet privacy rights, but Congress has failed to act, so California acted on its own. Now, the California Consumer Privacy Act is scheduled to take effect on Jan. 1. Of interest, numerous other states have announced an intention to follow suit and adopt their own state privacy standards. Already this year, Maine and Nevada passed laws that differ from California’s, and models considered in Washington and New York are completely different, as well.
As well-intentioned as these actions may be – possibly meant to prod Congress to act – unless Congress adopts a uniform national privacy standard, Balkanization of the internet looms.
Web services are offered on a national basis, and many would be disrupted by a multiplicity of diverse and contradictory state privacy requirements. Small companies and startup businesses would face new major costs of compliance. In addition, consumer confusion would be a certainty.
Consider the example of a smartphone user who lives in one state, travels to another state and accesses an e-commerce site headquartered in a third state. The service provider for that customer is headquartered in a fourth state and uses a server data center in a fifth state. Which state law applies?
One of the goals of privacy legislation is to assure consumers a constant level of protection, regardless of where they happen to be or how they access the internet. Lack of clarity about which state law governs would sow tremendous uncertainty and lead to a lack of trust among the internet-using public. To provide the privacy security internet users want, Congress should adopt one strong, clear national privacy standard that governs from the content-providing edge to the internet service providers. And states should be preempted from adopting their own inconsistent regulations.
Is it common for Congress to preempt the states upon the adoption of a federal standard? Yes, when there is a strong national interest in one comprehensive policy. In the areas of toxic substances, pharmaceuticals and energy efficiency, to name a few, Congress has adopted national standards and simultaneously preempted state action.
Fortunately, the political logjam that has held up the creation of a federal privacy bill is showing signs of breaking. According to recent reports, there are privacy discussions happening between Sens. Roger Wicker, R-Miss., and Maria Cantwell, D-Wash., the chairman and ranking member of the Senate Commerce Committee. The House is also tackling the challenge, led by the offices of Rep. Frank Pallone Jr., D-N.J., and Rep. Jan Schakowsky, D-Ill., the top Democrats on the House Energy and Commerce Committee, who are in discussions with the Republican lawmakers on the committee.
Congress now has a little more than two months before California’s privacy law goes into effect, and if the newly introduced privacy initiative qualifies for California’s November ballot with more than 600,000 signatures, the state’s rules could change yet again with a ‘yes’ decision from voters in 2020.
Congress should use the next couple of months wisely, heed the broad national consensus in support of strong federal privacy protections and pass a bipartisan measure that would rank as one of its biggest accomplishments. The clock is ticking.
Originally published at East Bay Times/The Mercury News