Why California’s New Privacy Law Hurts Americans More Than It Helps Them

If you’ve read the news over the last month or so, you’ve probably seen article after article about the California Consumer Privacy Act, which went into effect on Jan. 1 as the first comprehensive state-level privacy law in the country.

Is CCPA a meaningful development in the privacy debate worthy of significant discussion? Sure.

Will it do much to better protect the vast majority of Americans who live outside the Golden State? Not at all – and it will probably do more harm than good.

Let’s be very frank: Allowing 50 states to create a patchwork of their own individual privacy laws only empowers the largest handful of digital companies, while ultimately pushing most of the mid-sized publishers, brands and retailers out of business. Why? Because the cost of legal compliance with 50 different and contradictory state laws – and fending off lawsuits from the ravenous plaintiff’s bar in all 50 states – is too expensive for all except the world’s largest brands.

Separate state laws will have the opposite effect of what privacy legislation should bring: clear rules of the road for all businesses, along with strong accountability and enforcement standards that protect all Americans equally.

The problem with CCPA isn’t just geography, though – it’s unfortunately much more fundamental. This law is cut from the same cloth as the approaches of yesteryear that revolve around providing consumers “notice and consent” about what’s happening with their data. Transparency and choice is, of course, important – but this approach has predominantly served to burden Internet users who simply find themselves blindly clicking “I accept” on one privacy notice after another. It doesn’t actually protect consumers – nor does having state after state attempt to adopt their own differing privacy requirements and businesses interpreting those laws differently.

The reality is this: The only way to provide real protections to internet users across the country is to pass a federal privacy law – and one that fundamentally institutes real consumer protections.

Here’s the good news: A comprehensive federal privacy bill is emerging as a real possibility for the first time in 20 years. Several senior lawmakers in Washington have declared this kind of legislation a top priority for this Congress, and stakeholders from the public interest community as well as industry groups across the economy are rightfully championing this effort.

But we need a bill written for the internet of 2020 – not one modeled off of how policymakers were thinking in 2000. That’s why a coalition of associations and businesses called Privacy for America has stepped forward to propose a different and stronger approach to privacy protection. Rather than trying to update the current, broken model, Privacy for America is advancing an entirely new paradigm for privacy protection – one that for the first time actually prohibits a broad range of harmful data practices and offers consumers these new protections nationwide.

Right now, consumers are confronted with privacy policies on nearly every website, requiring them to constantly choose what data uses to allow and what to block. Most internet users don’t have the time or background to really understand the implications of each privacy notice, and they become numb to their consent options. Their privacy protection depends often on where they live and what laws are in effect in that locale.  And even so – as we hear in the news seemingly once a week – bad actors often infringe on consumer privacy, emboldened by a lack of federal resources and authority within the Federal Trade Commission.

The Privacy for America approach shifts that burden from consumers. It would clearly outlaw harmful practices, like sharing consumer data with third parties without entering into enforceable contracts that ensure those entities will use the data lawfully. It would block, among other restrictions, companies from using data about someone’s race or religion when determining prices for products and services. And it would provide substantial new authority, resources and staff to the FTC so it can more aggressively detect, pursue and punish wrongdoers – including imposing strict penalties on companies that do not adhere to the prohibitions. This is a comprehensive approach, developed over many months, that is designed to address our contemporary digital landscape with an equally new approach that is up to the task of protecting consumers.

Much like civil rights, auto safety and food safety in the 20th century, certainly consumer privacy and data security are important enough for federal oversight in the 21st century. We simply cannot try to depend on unpredictable and fragmented state action – especially when it’s stuck in the past. We must stay focused on the main goal: ensuring Congress moves as quickly as possible to enact comprehensive legislation that reimagines how we can give consumers strong privacy protections – and do it for all Americans.


Randall Rothenberg is the CEO of the Interactive Advertising Bureau and previously served as chief marketing officer of Booz Allen Hamilton and a media and marketing reporter at The New York Times.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult