No federal privacy law will make it in the US this year, sources say

You know about that one, much-hemmed-and-hawed-over, GDPR-ish, national, US privacy law? The one we don’t have? The lack of which means the country’s data privacy landscape is made up of a crazy quilt of state laws?

Not happening. Not this year.

In spite of the US Federal Trade Commission (FTC) marching down to Capitol Hill to beat the drum for a unified federal privacy law (and more regulatory powers to enforce it), and in spite of both the House and Senate holding hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations, the US is not likely to see an online privacy bill come before Congress this year.

That’s according to Reuters’ anonymous sources, who say that lawmakers haven’t managed to agree on issues such as whether the bill would preempt state rules.

And when we’re talking about state rules, we’re talking about the elephant in the room: California’s Consumer Privacy Act (CCPA), which goes into effect on 1 January 2020.

In lieu of a federal law – the one we’re not getting this year because nobody can agree on what it should do – the CCPA might turn into the ipso facto privacy rule of the land. Tech companies are terrified that it’s going to be strict, and it’s going to be expensive for all the companies that slurp up consumer data to track us, market at us and profit from selling our data …Or which screw up by fumbling that data, or which quietly pickpocket that data, as the case may be.

In hearings over possible privacy legislation – which neither you nor I have been invited to, fellow citizen, though tech companies have – lawmakers and online advertising representatives have grumbled about tough laws such as the CCPA and the EU’s General Data Protection Regulation (GDPR), saying that such strict laws could lead to businesses being swamped by fines and compliance costs, and that consumers have been buried in a blizzard of required notices and privacy policies they don’t bother to read.

During a Congressional hearing in February 2019, this is what Dave Grimaldi, executive vice president for public policy at Interactive Advertising Bureau, had to say about the CCPA’s requirement that businesses have to hand over consumers’ data when requested:

[If a business doesn’t meet the timeline], it is in the violation of the law. [Given the potential for thousands of requests,] that’s something smaller companies wouldn’t be able to deal with.

Without a federal law to save them from having to submit to the California law, tech companies, retailers, advertising firms and others dependent on collecting consumer data to track users and increase sales – think Google, Amazon, Facebook or Walmart, to name just a few – are worried that the strict requirements of the CCPA are going to tear a hole in their corporate pockets. They all collect data on shoppers, whether it’s to run their sites or to derive online data in order to provide “free” services in exchange for advertising at us.

Reuters quoted Gary Kibel, a partner specializing in technology and privacy at law firm Davis & Gilbert, who said that complying with California law will be quite a challenge for such companies:

This will be tremendously challenging… companies need to really focus on complying with California now because there is not going to be a life raft from a federal level.

Sources involved in legislation negotiations told Reuters that a discussion draft might arrive before year’s end, but these are some of the issues still to be ironed out:

• Is it sufficient to simply ask consumers to consent to collection of personally identifiable information (PII) and to give them the opportunity to opt out?
• How will the new law be enforced?
• How much information should be deemed private?
• How should the law govern how consumer information gets shared with third parties?

A draft of the federal bill is expected to be released before year’s end, sources said. A draft of the House version of the bill could arrive within a few weeks, one source said.

The GDPR-ish CCPA

California’s law isn’t just for California businesses, of course. Businesses that do business or have customers, or potential customers, in California will still be on the hook, if they meet one of these criteria:

• Have an annual gross revenue more than $25 million.
• Receives, shares, or sells personal information of more than 50,000 individuals.
• Earns 50% or more of its annual revenue from selling personal information of consumers.

Consumers’ rights under CCPA can be grouped into these general categories:

1. Businesses must inform consumers of their intent to collect personal information.
2. Consumers have the right to know what personal information a company has collected, where the data came from, how it will be used, and with whom it’s shared.
3. Consumers have the right to prevent businesses from selling their personal information to third parties.
4. Consumers can request that businesses remove their personal information.
5. Businesses are prohibited from charging consumers different prices or refusing service, even if the consumer exercised their privacy rights.

We’re still waiting for California’s attorney general to issue regulations about the law, but we do know that each violation carries a $7,500 fine.

One of Reuters’ sources who’s pushing for a federal privacy law said that without it, the CCPA is going to hurt:

California will go into effect without Congress doing anything this year on the federal bill. That’s a big problem because of the business impact this will have.