California’s Privacy Patchwork Demonstrates the Challenges of Multiple Laws

The potential disruptive impact of multiple state privacy laws creating a patchwork quilt of inconsistent or conflicting restrictions has been spotlighted for some time.  What has not been adequately focused on is that these types of inconsistencies can take place within states as well as between them. California’s privacy landscape is a prime example as its various privacy restrictions have constantly grown more and more complex.  The California Consumer Privacy Act of 2018 (CCPA) has joined the California Online Privacy Protection Act (CalOPPA), the “Shine the Light” statute (STL), and other laws as the newest addition to the sweeping privacy  legal array in the “Golden State.”  Instead of strengthening protections for California consumers, differences in the state’s multiple privacy laws could have the exact opposite effect.  Misalignments between them could frustrate consumers and confuse businesses in their earnest attempts to comply with competing requirements.

In Section 1798.175, the CCPA states that “wherever possible, law relating to consumers’ personal information should be construed to harmonize with the provisions of this title, but in the event of a conflict… the provisions of the law that afford the greatest protection for the right of privacy for consumers should control.”  Though this section directly addresses the possibility of incompatible or conflicting privacy laws in California, it unfortunately presents many more questions than it answers.  For instance, how can CalOPPA and STL be “harmonized” with the CCPA?  What constitutes a “conflict” between those laws?  And which provisions of the many California privacy laws in existence today “afford the greatest protection” for the right of privacy for consumers?

CalOPPA and STL address some of the same topics covered by the CCPA.  For example, the laws cover privacy policy disclosures and the right to access personal information in varying degrees, thereby presenting challenges regarding the right way to interpret the overlapping requirements.  This complexity is compounded by the fact that the CCPA’s enforcement date of July 1, 2020 is quickly approaching, and the regulations implementing the law’s numerous complex and ambiguous provisions remain unfinalized.  Making matters even more confusing, signatures to qualify the “California Privacy Rights Act” (CPRA or CCPA 2.0) ballot initiative were recently submitted to counties across the state, meaning that an entirely new legal regime could replace the CCPA very soon.

California’s experience with multiple competing privacy statutes and initiatives illustrates the complexity that can be created when conflicting standards apply to the same topic.  The issues posed by multiple privacy laws in California serve as a useful barometer for what could happen across this country as more and more states enter the fray and pass privacy legislation.  

Consumers in California and the United States as a whole would be far better served by a single, strong national data privacy standard that provides clear, consistent protections for consumers.  For this reason, ANA supports Privacy for America, a framework for national legislation that  defines prohibited data practices that make personal data vulnerable to breach or misuse, insures enforcement through an expanded and strengthened Federal Trade Commission, while preserving the benefits that come from responsible use of data.  As experience in California demonstrates, multiple privacy laws can lead to conflict and confusion.  A unified, national approach to privacy is the only way to assure clear protections for consumers wherever they reside in the United States, while providing much needed certainty and consistency for businesses.