Updated: Mar 5, 2019
By Emily Leach
On this Friday before hundreds of privacy pros head to Fremont, California, for the IAPP’s CCPA Comprehensive, it seems appropriate to acknowledge the shifting going on above the San Andreas Fault. Legislative changes in California seem to have a nation-wide effect, and the California Consumer Privacy Act has been no exception.
The CCPA has sent its rumble through the federal legislature, leading to proposals from lawmakers, industry and advocacy groups. State legislatures have also taken notice. According to Wilmer Hale’s Privacy and Data Security Alert: States Consider Privacy Legislation in the Wake of California’s Consumer Privacy Act, Hawaii, Maryland, Massachusetts, New Mexico and Rhode Island all have proposals modeled on the CCPA.
At Calif. Assembly hearings on the CCPA this week, legislators, industry groups, advocates and others squared off on the law’s private right of action, its definitions, and the ability of companies to comply with it in time for the 2020 effective date. The hearing made it clear that we can expect more changes coming down the pike.
But California being California, that’s not all there is to talk about.
The state that passed the first breach notification law in the country may soon see even stronger rules. California Attorney General Xavier Becerra and Assemblymember Marc Levine, D-San Rafael, have announced AB 1130, which would add passport numbers and biometric information to the current list of information that when breached require notification. The list now includes Social Security numbers, driver’s license and credit card numbers and health insurance information.
Additionally, Gov. Gavin Newsom announced he's coming up with a proposal for a “data dividend.” The idea being that consumers would get to profit from the data they wittingly or unwittingly share with tech companies online. CBS reports that Common Sense Media is putting together a plan that aligns with Newsom’s proposal. The report seems to imply the plan could return a quarter of “the value of an individual’s data.” Whatever that means.
The data dividend idea has made its rounds before, and has plenty of critics. Operationalizing it, getting consumers to understand it, and, as suggested above, setting a value for data would be major hurdles. However, looking at the lead-up to the passing of the CCPA, it seems Californians have a big appetite for privacy protections, so it would likely be unwise to write it off.
Going into next week’s conference, there’s certainly plenty to talk about. Come chat with the Aarons (Weller and Stevens) over at Sentinel’s booth and pick up one of our CCPA Workbooks. It’s the text of the law with lots of blank space for notes and annotations. Bring it into your sessions and take notes on specific provisions. Add amendments as they come to pass. Write down your questions. Or just doodle (no one will know).