Innovative California Privacy Law Sets Stage for Entire Nation

As the first state to implement privacy laws protecting consumers from Big Tech, California is being closely watched as it puts together a governing body with the job of regulating how Amazon, Google, Meta and other companies collect and exploit data from millions of people. Former Federal Trade Commission chief technologist Ashkan Soltani was appointed executive director of the California Privacy Protection Agency (CPPA) in October. Starting with a $10 million annual budget that many say is not nearly enough to battle pushback from tech lobbyists, Soltani is inventing a new paradigm.

“The new California agency reflects a larger shift in how the rules of the global Internet are being set — and who is setting them,” writes The New York Times, observing that in the U.S. states are stepping in to fill a vacuum by Congress. Federal lawmakers “from both parties have long said they would support a national privacy law. But negotiations in Washington have stalled, partly because of a dispute over whether a federal law should supersede state laws.”

The Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA) were subsequently enacted, and “mimic California privacy laws,” according to The National Law Review, which says they also draw on “the EU General Data Protection Regulation (GDPR) by imposing stringent requirements on companies that collect or process personal data of state residents. Failure to comply may subject companies to enforcement actions and stiff fines and penalties.”

Last week, NLR reported that “at last count, at least 39 states have introduced (or passed) comprehensive privacy legislation. After what was previously a watch-and-wait game of legislative whack-a-mole, we are now seeing this legislation get passed and implemented more regularly and with greater speed.”

As a case in point, NLR cites the Utah Consumer Privacy Act (UCPA), which passed both houses of legislature within two months of the new year and as of March 3 awaits signature from Governor Spencer J. Cox.

But Axios suggests intrigue surrounding the proposed Utah law, writing that it is supported by the State Privacy and Security Coalition (SPSC), which along with another industry group, TechNet, is “pushing weak privacy bills in states while Congress dithers.” SPSC, Axios says, “describes itself as a coalition of leading tech, telecom, media and retail companies. Members include AT&T, Apple, Google, Amazon and Meta.”

Passed by ballot initiative as Proposition 24, the law that became the California Privacy Rights Act of 2020 is doing spadework for others to build on. At the heart of the law is the right of residents to demand their accrued data be deleted by entities deemed in violation of privacy rights, says NYT, indicating Soltani plans to hire about 35 people to staff the agency.

Writing that “dedicated data protection agencies are the norm in Europe,” NYT says California’s effort has garnered “global interest,” and that Soltani is in touch with European Data Protection Supervisor Wojciech Wiewiorowski regarding “the California agency — with Silicon Valley in its backyard — as a potentially fruitful ally to rein in the tech giants.”