Sunday, February 5, 2023

Californians Deserve Better Data Privacy Laws, Not More

“As California goes, so too does the rest of the nation.”

It is true that this state has long sought to lead the way and set the “strongest law in the nation” in any number of categories. More and more, though, it seems that the broadest possible law gets passed, and then the next year legislation is brought to pass an even broader law on the same topic.

For those entities that must comply with those laws, and want to comply with those laws, this is problematic for obvious reasons.

Take California’s approach to data privacy rights over the last several years, starting with the California Consumer Privacy Act of 2018 (CCPA). The ink on the Governor’s signature hardly had a chance to dry on that landmark comprehensive data privacy law before an influx of bills were introduced.

From overhauling and changing heavily negotiated elements of the act to adding separate protections for specific types of information, industries, or technologies in the piecemeal approach to public policy that the CCPA moved away from, they just keep coming.

2022 Legislation

This year has been no exception. To provide just two examples:

SB 1172 (Pan; D-Sacramento) would, for the first time, amend the voter-approved California Privacy Rights Act (CPRA) to address a single industry (businesses providing proctoring services in educational settings) and add a new private right of action.

SB 1189 (Wieckowski; D-Fremont) would create additional restrictions separate from the CPRA around the collection and use of a single type of personal information (biometric information) and add a sweeping private right of action that guarantees statutory damages even for technical violations, where no actual harm is shown.

Premature Proposals

It is an understatement to say these bills are unnecessary, if not premature given existing and forthcoming privacy rights under the CCPA and the CPRA.

Premised on the idea that broader protections and stronger enforcement is needed given the unique sensitivity of the information involved, they ignore the fact that additional protections for sensitive personal information take effect under the CPRA on January 1, 2023, and enforcement does not begin until six months later. This means it is too soon to identify any gaps in the law justifying the need for these bills.

In contrast, there is no question that, if approved, they would create more confusion and complications for businesses that must effectuate the laws. And more opportunities to sue them for good faith errors.

All of this is to say: rights that cannot be properly implemented are of little benefit to anyone. At some point, this state may wish to seriously consider whether Californians and California businesses would all be better served by ensuring we have the strongest laws in practice, and not just the strongest laws “on the books.”

Staff Contact: Ronak Daylami

Ronak Daylami
Ronak Daylami
Ronak Daylami, an experienced attorney, joined the California Chamber of Commerce in March 2022 as a policy advocate specializing in privacy issues. She came to the CalChamber policy team from Nielsen Merksamer, where she served as senior counsel in the firm’s government law section specializing in privacy issues, state regulation of business practices, consumer protection, and legislative process. Daylami previously worked for nearly 10 years in the Capitol, most recently as the chief consultant of the Assembly Privacy and Consumer Protection Committee, where she provided expertise on privacy, cybersecurity, consumer protection, and deployment of technology by state government, as well as counsel to the committee chairman during the negotiations and passage of the California Consumer Privacy Act. She earned a B.A. in political science and minored in English at the University of California, Berkeley, and a J.D. from University of California, Hastings College of the Law, where she was a senior articles editor for the Constitutional Law Quarterly. See full bio.

Related Articles

Many Privacy Rights Act Provisions Take Effect Jan. 1

Originally passed in 2018 and effective in 2020, the California Consumer Privacy Act (CCPA) is a comprehensive privacy law aimed at enhancing California residents’ privacy rights and consumer protection. To ensure those privacy rights and...

Governor Completes Action on Priority Business Bills

Last Friday, Governor Gavin Newsom completed action on bills sent to him by the Legislature, including priority bills for the California Chamber of Commerce. Just two job killers reached the Governor for action, and he...

California Consumer Privacy Act Will Apply to Employers in 2023

In Episode 160 of The Workplace podcast, CalChamber employment law expert Matthew Roberts and CalChamber policy advocate Ashley Hoffman discuss the current state of the California Consumer Privacy Act (CCPA) and how it will...