In recent years, California leaders have resisted past and current federal comprehensive data privacy legislation despite the fact that all Americans deserve strong privacy and security protections. This issue is in the spotlight again because a draft of the American Privacy Rights Act (APRA) was released in Congress this month and has garnered strong bipartisan support.
The APRA is largely based on the American Data Privacy Protection Act (ADPPA) introduced in 2022, which could not cross the finish line. Discussions around ARPA continued in a recent congressional privacy-related hearing, where there was strong sentiment among committee members and witnesses for an urgent need for a national standard. However, California Privacy Protection Agency Executive Director Ashkan Soltani has already opposed the APRA because it would override the law his agency is tasked to enforce.
Contrary to Soltani and many other outspoken California leaders, however, the APRA offers California residents and all Americans needed protections. Some might argue these protections are too strong given APRA’s strict rules about collecting and only keeping the necessary amount of data needed. And, if passed, it would override California’s privacy law (the CPRA) along with every other comprehensive state privacy law since it would be a federal law passed by Congress.
But the APRA draft is still in its early stages, which means that California leaders can help lead discussions and provide suggestions to help guide and improve a law that protects all Americans while ensuring California businesses can thrive, even if that law overrides the CPRA. In fact, overriding California’s misguided law is one of its selling points.
One problem the APRA would help resolve is that the current disharmony of laws is costly and burdensome. The CPRA has cost California’s economy a staggering $46 billion, with small businesses shouldering a significant $9 billion burden. And this does not even account for the cost of the growing maze of state privacy laws that California businesses must navigate. Importantly, California leads all states with 4.19 million small businesses, and its robust and talented applicant pool has led the way with technology startup companies.
While state privacy laws share similarities, their definitions, and legal mechanisms vary widely, leading to complex and costly compliance. For instance, sensitive data is defined in multiple ways across state privacy laws, incorporating information like a person’s driver’s license and social security number, which most consider sensitive.
However, as each state introduces its privacy law, the definition continues to expand, including information like pregnancy information and gender status. Potential legislation in Maine, which many California businesses would have to comply with, could include “gender identity” as sensitive data, making a consumer’s search for “girls’ shoes” fall into sensitive data processing and requiring consumer opt-in. Sensitive data needs heightened protections but should not disrupt basic consumer search queries. Yet, if the United States. opts for a 50-state framework, the risk of disruption will increase.
The legal mechanics of each state’s privacy laws are different, too. Under the CPRA, a business can process sensitive data but must allow a consumer to opt-out. At the same time, recent laws in several other states require consumers to opt-in for companies to process sensitive data. A federal law that provides clear definitions and legal mechanisms for processing data would pave the way for businesses to comply efficiently.
Related Articles
Kamala Harris for governor of California? It could happen.
The Republican Party needs to save itself from the populist Trump cult
California’s uncertain future with zero-emission vehicle mandate fast approaching
Fight over Huntington Beach voter ID laws: Letters
Assembly Democrats kill bill to ban use of NDAs in legislative negotiations
There are also national security concerns about the significance of data privacy and cybersecurity in protecting American data from bad actors and adversarial nations. While Californians’ data is largely protected, what about the data of non-California residents? In the wrong hands, it could still negatively impact California residents. For example, espionage and intelligence gathering of non-California residents’ data could be used by malicious actors to gain insights into U.S. infrastructure and critical systems or networks affecting all Americans. The potential risks are too high to ignore.
There are also non-national security factors. Many California residents invest in stocks through active investing or retirement accounts tethered to the stock market. A study revealed that business data breaches can cause stock prices to plummet. Additionally, data breaches can result in rising costs for California consumers, as 60 percent of businesses that suffered a data breach increased the cost of their services or products. With a comprehensive federal privacy and security law, covered businesses would have parameters set on data security practices, and potentially, fewer data breaches might occur.
This is not just a call to action for California leaders – it is a responsibility. It’s time for them to step up and support a comprehensive federal privacy law. A comprehensive federal privacy and security law can positively impact California’s economy and enhance Californians’ privacy and security.
Steven Ward is a privacy and security fellow for the R Street Institute’s Cybersecurity and Emerging Threats team