In a letter Tuesday to certain committee leaders in the U.S. Congress, California Attorney General Xavier Becerra proposed any federal data privacy legislation should “build on” the rights afforded to consumers in the California Consumer Privacy Act (CCPA). Federal data privacy law should also provide individuals with a private right of action and give state attorneys general parallel enforcement authority, the California AG maintained in his correspondence.
In fact, Congress should “look to states as sources of innovation and expertise” in data privacy, Becerra wrote. Rather than seeking to “undermine protections” like the CCPA, Congress should enact data privacy legislation “that sets a federal privacy-protection floor rather than a ceiling,” he suggested.
“I have always said that California would not be preempted without a fight,” observed Cynthia Cole, special counsel at the law firm Baker Botts. “The state has worked too hard on the CCPA to get pushed aside by a federal law.”
California’s law went into effect on Jan. 1 of this year and is set to be enforced beginning in July. Meanwhile, regulations implementing the state law have been proposed and revised but not yet finalized. A number of impacted organizations have submitted comments on the proposals and are struggling to comply with a law that, in the minds of some, could use a bit more finesse.
“I have always said that California would not be preempted without a fight. The state has worked too hard on the CCPA to get pushed aside by a federal law.”
Cynthia Cole, Special Counsel, Baker Botts
The CCPA “is so confusingly written as a result of the last-minute negotiations that it is the poster child for how not to draft legislation,” said Robert Cattanach, a partner at the law firm Dorsey & Whitney. “Any thought of simply adopting it as a national standard” would be “rejected out of hand,” he continued.
Making things more complicated
If Congress were to move forward by following the California AG’s proposal, “any federal law would not be worth the paper it was printed on and would be rendered meaningless,” explained Heather Buchta, a partner at the law firm Quarles & Brady. “Why would Congress undertake efforts to pass a federal law that sets the floor but not the ceiling at a time when so many states have legislation in the works?”
Becerra’s position—that there be no federal preemption of state law in this arena—would make it “extremely burdensome” for businesses to comply with both a federal law as well as with state laws that impose additional or different obligations, explained Julie O’Neill, a partner at the law firm Morrison & Foerster. “A federal law could preempt state laws’ inconsistencies—even things like how quickly to respond to individual rights requests, for example—while still providing consumers with rights regulators deem important.”
“Even the California AG’s own projections show the cost of compliance with CCPA will run well into the billions and, as more and more states jump onto this bandwagon, the compliance costs will increase exponentially because of the lack of uniformity,” Cattanach said
Excerpt from Becerra letter
I urge you and your colleagues to develop a final bill that builds on the rights afforded by CCPA and the additional guidance in our regulations. Congress should provide consumers with data privacy protections, including but not limited to:
- The right to access, correct, and delete personal data that has been collected;
- The right to minimize data collection, processing, and retention;
- The right to data portability among services; and
- The right to know what data is collected and processed and for what reasons.
I welcome a federal partner with the tools and resources for vigorous enforcement of new consumer rights. Nevertheless, it’s critical that Congress extend enforcement powers broadly. Congress should make clear in any legislative proposal that state attorneys general have parallel enforcement authority and that consumers also have the opportunity to protect their rights directly through a private right of action.
Finally, and most importantly, I invite Congress to look to the states as sources of innovation and expertise in data privacy, and not to undermine protections, like CCPA, that states have already developed. Therefore, as I noted above, I encourage Congress to favor legislation that sets a federal privacy-protection floor rather than a ceiling, allowing my state—and others that may follow—the opportunity to provide further protections tailored to our residents.
Source: Xavier Becerra
Joint federal and state roles
As untenable as the regulated community may find it, there are precedents where Congress has passed legislation that respects more strident state laws. For example, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule “does not preempt state law that provides greater privacy protections or privacy rights with respect to individually identifiable health information,” explained Brian Kint, a member at the law firm Cozen O’Connor.
HIPAA establishes “ ‘floor’ privacy protections and does not preempt more stringent state medical privacy laws,” said Reece Hirsch, co-head of the privacy and cyber-security practice at the law firm Morgan Lewis. It’s a regulatory approach that “has worked fairly well,” he said. “But the key difference is that state medical privacy laws are generally less comprehensive and prescriptive than HIPAA,” Hirsch cautioned.
“Other federal statutes have also provided for federal and state law enforcement including the CAN-SPAM Act and many other federal consumer statutes,” observed Mark Krotoski, a partner at Morgan Lewis.
What’s the holdup?
Preemption matters aren’t the only stumbling blocks for any prospective federal legislation on data privacy. In addition, whether there should be a private right of action has also been a “primary sticking point” with respect to federal data privacy legislation, Hirsch said.
Some understandably are concerned about litigation costs associated with either the CCPA or any federal version of it. A “problematic feature” of the California law “is the creation of statutory damages for data breaches,” Cattanach said.
With “automatic statutory damages” starting at $100 ($750 for intentional violations) whenever a data breach occurs, “not only will plaintiffs now have an unencumbered path to the courthouse, but the minimum of $100 per plaintiff in damages will virtually guarantee class actions for any data breach involving any significant number of California residents,” Cattanach said.
Will this ever be resolved?
Interestingly, “states have been more responsive to privacy concerns than at the federal level,” observed Emma Maconick, a partner at the law firm Shearman & Sterling. To that end, “there is real practical value in allowing states to continue to legislate in this area,” she said. “Within certain limits, of course,” Maconick cautioned.
Still, the high cost of complying with the CCPA “will be multiplied as other states adopt different privacy standards and obligations,” Krotoski said. “As greater conflicts occur among the states, a federal privacy law will become inevitable.”
“Somehow Congress and the states have to find a path here,” Cattanach said.
Lori Tripoli is a writer based in the greater New York City area who focuses on legal and regulatory issues.