The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020. The law requires companies of a certain size that collect information on customers in the golden state to disclose data collection practices and delete information on demand. It also empowers users of qualifying websites to opt out of large swaths of the online data activity.
If that doesn’t mean a lot to you in practical terms, you’re not alone: the Los Angeles Times reports there is a huge amount of confusion about what the law actually means. Less than a week before the law is set to go into effect, the paper writes:
Thanks to the technical complexity of the system and the rushed timeline for implementation, a number of basic questions remain unanswered. What does “sell” mean? How can companies be sure they’re deleting the right person’s data? And does simply having a website that keeps track of how many people visit each year mean you must wade into the regulatory thicket?
Looming questions about which firms meet the qualifications for being regulated by this new law have created an opaqueness such that the California State Attorney General’s office says it won’t start enforcing the law until July 2020. That’s a temporary reprieve for befuddled firms, but whatever the gory details of compliance turn out to be, it’s a sure bet that it won’t be a boon for businesses or consumers.
As evidenced by the real-world outcomes of the General Data Protection Regulation (GDPR) in Europe, the road to harmful unintended consequences is paved with good intentions. The CCPA and the GDPR have some differences (the EU shot the lights out with an opt-in regime, while California showed the slightest regulatory restraint with its opt-out approach), but the two are similar enough to expect the same dismal results.
As Roslyn Layton at the American Enterprise Institute chronicles, the GDPR has strengthened the industry’s largest players. Google, Facebook and Amazon have increased their market share in the EU since the regulations went into effect. Consequently, small advertising firms have lost approximately one-third of their market share. Larger firms can bear the high cost of compliance, while small and medium forms are less able to do so. Surely, that’s not what regulators concerned with monopoly and oligopoly power in the tech sector intended.
The CCPA regulations also carry with them the predictable consequences of chilling research and innovation in the tech sector, creating a false sense of security for online users, and inadvertently increasing cybersecurity risks. For example, how are firms to verify a customer asking for their personal information is, in fact, that customer and not a nefarious actor involved in identity theft?
Structurally, the concern is that the state that eventually implements the most stringent set of online privacy regulations will become the default regime for the entire nation, lest firms have to navigate fifty distinct sets of rules. CEI has long advocated for federal preemption when the free flow of interstate commerce is at risk. Big government-loving, high-population states should not impose their regulatory preferences on the entire country. This is especially true when their laws ignore and stunt the role of consumer education and the promise of emerging privacy-enhancing technologies.
Congress should act only to protect innovation and consumers – not to inadvertently harm both, as California lawmakers have almost certainly already done.