Law in the Internet Society

Data Protection in the US - quo vadis?

-- By EricN - 07 Dec 2019

Status Quo

The internet user’s perception of data protection and the awareness about the use and storage of one’s personal data has enormously changed in recent years and countries all over the world are either working on or have already implemented new rules and regulations, providing their citizens the legal tools to (purportedly) do something about the potential misuse of their data. The implementation of the GDPR has definitely started a certain movement, but this article wants to focus on the upcoming shift in the US data protection landscape (on a State level, as there is no single, comprehensive data protection framework on a federal level), starting on January 1, 2020 with the implementation of the California Consumer Protection Act (CCPA). So, with only a few weeks’ time left until this historic change in US privacy regulations, the question to be asked is, does the CCPA change anything and where does US data protection go from here?

The CCPA

The CCPA is coming into effect in times where data breach scandals such as Cambridge Analytica or the Equifax leak (which resulted in a $575 million settlement with the FTC: https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related) dominate the news headlines. The main goal of the CCPA is therefore primarily to protect the personal data of consumers (well for Californian consumers) and give them better control over their data. Despite the good intention of Californian lawmakers, the general tone in the jurisprudence is that the law is poorly written – it is more than 10’000 words, which is undeniably very long for such a law – and according to Goldman “insanely complicated” (Eric Goldman, Internet Law: Case & Materials, July 2019 version). But in a nutshell, the CCPA will be the toughest and most comprehensive data privacy law in the United States and it is hardly a coincidence that it comes from California (California is not only the largest economy in the United States, but also the world’s fifth largest economy: https://en.wikipedia.org/wiki/Economy_of_California).

Without going into too much technical detail, the CCPA is supposed to provide consumers in California enhanced privacy rights, much like the GDPR. Consumers will have the right to know what personal data is being collected by companies, they have a right to access their data and can request the deletion of their data and, unlike any other data protection law enacted (worldwide), the CCPA requires companies to install an opt-out link on their website, allowing consumers to opt out of sharing their data with any third parties (https://www.dataprotectionreport.com/2019/02/gdpr-ccpa-and-beyond-changes-in-data-privacy-laws-and-enforcement-risks-to-monitor-in-2019/). Although not all of the provisions or the applicability of the CCPA are crystal clear, one can see towards where privacy is shifting, which is essentially the consumer. If the consumer is ready to accept these rights, which also entail the obligation to use the allotted privileges, cannot yet be answered and time will tell.

Quo vadis

California could definitely be described as a pioneer in the legalization of data protection rights in the United States and it already can be observed, how the CCPA has set something in motion. Although the law only applies to California based companies who meet certain thresholds, it must also be observed by out-of-state merchants who sell to Californians (and as said, California is the world’s fifth largest economy). There is chance that companies will not create to different data protection systems, but rather apply the rules of the CCPA nationwide (https://fortune.com/2019/09/13/what-is-ccpa-compliance-california-data-privacy-law/). On the other hand, the CCPA has already influenced 11 states (including New York, Nevada, Maryland, New Jersey and Washington) to introduce similar legislation, which all include their own, slightly different version of consumer rights. On the one hand, these movements amplify the problem of a data protection patchwork, on the other hand, it might motivate companies to implement a nationwide data protection compliance including consumer rights, or it even might result in efforts of the US Congress to step in and implement national comprehensive data privacy legislation.

Conclusion

After the endeavors, various companies faced in May 2018 to get up to date and compliant with the GDPR, the CCPA undoubtedly is putting the next regulatory challenge upon many companies. Although the two laws are not completely different, there is still much to do for affected companies to be ready in three weeks’ time.

So, will the CCPA change anything? For us as consumers, this is a question not easy to answer, but the CCPA will definitely give Californian consumers the right to actually know, what data companies are storing about them and to request deletion of such data. If you’re are a company affected by the CCPA, it will definitely change how you will handle consumer data in the future and probably this is a good thing. However, looking at the comprehensive data subject rights under the GDPR and their use by its addresses (only three out of ten European citizens have heard of their new privacy rights: https://www.helpnetsecurity.com/2019/06/18/gdpr-application/), one could come to the sobering realization, that people just don’t care about their data or privacy.

The tools do something about our privacy are there, but they’re poorly used. Maybe we need a second Cambridge Analytica to wake up. In summary, the initial question whether the CCPA will changes anything or not can definitely be answered with e clear yes. The CCPA has not only set data protection legislation in various other US States into motion, but it also helped to start the process of realization of consumers, that their data is value and that they have certain rights to protect their data. In the end however, it is up to all of us to start appreciating the value of our data and it therefore is in our hand to change the way companies handle our data.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r1 - 07 Dec 2019 - 00:30:52 - EricN
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM