Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

October 2018
Lee Tien
Now that California has broken the ice, will other states follow, and will Congress pre-empt?
For privacy experts, 2018 was already quite a year when it was just half over. The EU’s General Data Protection Regulation (GDPR), which took effect on May 25, guaranteed that. But then, a month later, the other shoe dropped. In a sprint at the tail end of its session, the California legislature passed the California Consumer Privacy Act. It’s the toughest privacy law in the country, and it took a lot of people by surprise. How it happened is a long and complicated story, captured vividly by a recent article in The New York Times. Briefly, it was spearheaded by a real estate developer who was willing to spend his own money to sponsor a ballot initiative on privacy that he started working on long before the bill. It would have been much tougher than the law that eventually passed, and it would have given California voters a direct say on the issue in November. And after Facebook’s Cambridge Analytica scandal broke in March, it began to look more and more like the initiative had a chance to succeed. So the forces that opposed it, led by the big tech companies, negotiated a deal to replace it with a bill that wasn’t as tough. The developer was willing to accept this in exchange for withdrawing the ballot initiative, which wasn’t guaranteed to pass (especially given how much money would have been arrayed against it). And opponents were willing to live with a softer law that won’t go into effect until 2020, and will be much easier to amend than a ballot initiative.
      Lee Tien, who runs the legislative affairs department of the Electronic Frontier Foundation, has been involved in the negotiations. He also directs the EFF’s lobbyists in both Sacramento and Washington, D.C. The EFF , long champions of privacy, did not take a position on the ballot initiative, Tien says. Nor did it take one on the final bill. “The main reason for that was that we hardly got to see it,” Tien says, laughing. But he’s deeply engrossed in the action now. We asked him to walk us into the legislative weeds.

CyberInsecurity: What changes can be made to the law before it goes into effect in 2020?
Lee Tien: Any. Because it did not go the ballot way, it is just like any other law. It could be repealed entirely.

CI: You posted an article on the EFF website on August 8 about improving the law. What are you hoping happens next?
LT: Well, we consider the result to be good for privacy, although there are a lot of things that need to be fixed. Things that need to be cut back, and things that need to be expanded. Phase one was passage of  [Assembly Bill No.] 375 .  Phase two was the process that ended up in [Senate Bill No.] 1121 , which is still sitting on the governor’s desk, awaiting his signature. It’s the technical cleanup bill. Everyone understood that because the bill was so hastily put together, it would need to have a number of technical cleanups. There’s also something about getting money to the attorney general’s office for it to move forward on the attorney general regulatory process, which the bill also specifically stands up. So what we’re looking at from here on out are at least two tracks in California. One track is a legislative track, where we are going to work on improving the bill and defending it against amendments that we think would weaken it. And, at the same time, preparing to engage in the public stakeholder process that is going to be erected around the attorney general’s responsibilities, although we do not know yet what that is actually going to look like.

CI: When will the negotiations heat up?
LT: The session begins in January. I think there’s some deadline for policy bills to be introduced in February. So a lot of the negotiating has to happen beforehand. I’ll tell you, today is September 12. I’m not currently involved in negotiations with anybody, but that’s because we’re still waiting for 1121 to be signed. People are taking this as a sort of wait-for-the-governor month, where everyone wants to see where we’re headed. Because if 1121 isn’t signed, things will look very different. But at the same time, I’m quite sure that my friends in the business community are planning out, gaming out and thinking about what they’re going to do, come October. So we’re all trying to figure out what we’re going to do, but it is difficult. Because of the election, we don’t even know who is going to be in the legislature.

CI: Who has to comply with this law? It’s not only companies based in California, right?
LT: It’s companies doing business in California. If you’re a California resident, you should be receiving the protections of this law.

CI: If the company is headquartered and based in Delaware, but it has online sales and some of its customers are in California, then this affects that company, correct?
LT: That’s right. But the way that the bill defines “business” is interesting. Although it applies to for-profit entities that do business and process consumers’ personal information, it is also the case that they either have to have gross annual revenues in excess of $25 million, or they have to buy, sell, process or receive for business the personal information of 50,000 or more consumers, households or devices. Or they have to derive 50 percent of their annual revenue from selling consumers’ personal information. So if you are a company that does business in California—with California residents—and you meet one of those other criteria, then you would be subject to this law. It was an attempt to separate big from little.

CI: And profit from nonprofit.
LT: Right.

CI: Some companies have adopted the standards imposed by the GDPR, even though it doesn’t apply to them, in order to align themselves with the highest privacy standards. Do you know if companies that are not subject to the California law are taking the same approach?
LT: I wouldn’t be surprised if some companies are thinking that way right now about the California law. But I haven’t been reading about people saying that. And I think that there is still, within the business community, enough uncertainty about whether the statute is going to survive in its present form, because of either the weakening of the statute, or possibly pre-emption out of [legislation from] D.C. No one knows for sure, so I think it might be a little early for anyone to have decided that.

CI: Do you think that’s the sort of thing that in-house lawyers who track privacy laws for their companies should be discussing with management right now?
LT: Should they? Yes. Because the GDPR and the California statute, while not the same, do share a number of features. They share increased transparency, increased access to the information and the right to know: What do you have on me, and where is it going? Who else has it? These are the kinds of questions that the next-generation privacy law is going to care much, much more about. It’s a trend.  

CI: You alluded to D.C. a minute ago. Do you think there’s a chance that Congress will pass a privacy law?
LT: It’s hard to say. You could take the word “privacy” out of the question, and it’s still hard to say. It’s hard to say whether this Congress and this president can pass things that are substantively interesting. We’re  seeing right now a tremendous amount of difficulty just passing an appropriations bill that will keep the government funded, much less things that are regulatory. What we have seen in the past is a reluctance to pass privacy laws, because it’s not always clear that the folks in charge actually want privacy laws. Now we have a situation where other jurisdictions, in Europe and in California, are passing privacy laws. So the situation in D.C. is no longer: Should there be a law standing alone? Now it’s: Wait a minute, these other jurisdictions have created laws. There are actually things that companies have to do now, either because of the EU or because of California. What exactly is the role of the federal government, now that there are these other laws and they’re not ours? Is there something that Congress can do to negate those laws and create a law-free zone? Or is there going to be an attempt to create weak federal rules that will make the stronger state rules go away? Does that solve the problem? The companies can have no safe harbor with respect to the GDPR. There are a lot of questions about what D.C. wants, what the companies want. That makes it difficult to pass anything—there’s no clear trajectory.

CI: Do you expect that a federal law would be designed to pre-empt state laws, if one actually passed?
LT: It could. We just signed on to a letter on a privacy sort of bill attached to the data breach notification bill that is focused on entities in the financial services industry under Gramm-Leach-Bliley, and it has a pre-emption provision for financial institutions and their affiliates. And that is broader than it looks, because, as I understand it (I’m not an expert on GLB), GLB doesn’t just cover banks. It covers retailers that issue credit cards. If this federal bill is pre-empting all financial services GLB entities, then, if the retailer Target has a Target credit card, maybe that means that they are going to be within the scope of the pre-emption. I don’t know if it’s going to pass. I don’t know if it’s going to sit until next year, when, freed from the elections and with a more clear understanding of what Congress looks like, people might actually try substantive legislation. It’s unclear to me whether anything can pass this fall, at least before the election, given how few legislative days there are. That’s a very insider’s look. It doesn’t have anything to do with the politics of privacy. It’s more about the calendar and the election.

CI: True. But it wouldn’t have to pass soon in order to pre-empt the California law, which doesn’t go into effect until, at the earliest, January 2020.
LT: Oh, next year is going to be crazy. All I’m quibbling about is timing. There’s quite a bit of opportunity next year, but, again, it depends on what the elections say.

CI: So what kind of lobbying do you expect in Washington over this issue?  And I assume some of this is in progress as we speak.
LT: I expect a lot. And I think there has been a lot by the companies already. Last week, or the week before, we saw the U.S. Chamber of Commerce put out its privacy principles. And one of the top things on the Chamber’s list was pre-emption. Of course, they also didn’t want a private right of action. That was something that was cut back in California. The ballot initiative originally had a private right of action to enforce all of its provisions, and now [in the law] the private right of action only works for data breaches. Similarly, Internet Association (IA) put out its messages about principles , and there again, pre-emption was on the table. So I think part of what’s happening in D.C. is concern about the California law, and there is definitely a strong element of wanting federal pre-emption. We just do not know right now how strongly industry is going to insist, and we don’t really know what the leverage situation is like. I worked on the commercial privacy bill of rights back in the 2010-2012 period—the Kerry-McCain bill. Obama was president. But we still had to fight around pre-emption, even though that bill was bipartisan with a Democratic administration. But it was sort of an agreed-upon price of doing business in D.C.—that if you wanted Congress to do a bill, it was going to have pre-emption in it. At that time the privacy advocates were really the supplicants. And we wanted a federal bill. In the current situation, GDPR has come into existence without us doing anything, and without Congress being able to do anything about it. So companies in the United States that do business with EU residents—they’re going to have to deal with it. It’s not like the U.S. can immunize them from it. And now we have California, where we have worked to try to get a privacy law, and we’re going to continue to work to keep what we’ve got. From that context, the congressional privacy fight is less about us pushing. The function of D.C. in this situation is really more to try to stop the states.

CI: That leads to my next question. Are other states around the country considering enacting privacy laws of their own?
LT: My understanding is that they are. We have received inquiries. Over the summer, the state of Vermont was definitely working on privacy bills. The Vermont AG has been reaching out to consumer groups. Every time that states make progress on something, whether it’s broadband, privacy, net neutrality, other states are emboldened. They go, “Wow, you guys actually did something. We can do something too.”

CI: Any idea how many states might be thinking along these lines?
LT: No. I don’t have any idea. Remember, the states have very different calendars and schedules. A lot of them aren’t even in session right now. They’re like these funny desert plants. They have rain for a week every summer.

CI: Well, let’s say that other states were not only interested but actually did something and passed bills. Would that be a good thing? It seems like there could be a lot of confusion if California has one set of standards and Vermont has another set standards and Iowa has a completely different set of standards. That might be a difficult thing for companies to respond to.
LT: This is the old concern of companies always. Not just in privacy, but in any area of the law. Alcohol laws vary from state to state. Lots of laws vary from state to state. That comes with the notion of a federalist system. The central government and the states each share responsibility over public policy issues. It’s an issue for companies. But the companies’ complaints are often flawed, because while they complain about varying and inconsistent state regulation, often what they’re really complaining about is unduly strong regulation. Because it is often the case that you can make most of the states or all of the states happy simply by adhering to the most stringent rule. And if that’s the way you run your business, then you’re not going to have to worry about inconsistent laws. The problem comes when there’s a reluctance to do what the laws want you to do. A long time ago, I asked somebody about doing an impact analysis about data breaches. It’s true that there are something like 40-plus states that have data breach notification laws, but my understanding, from talking to people who specialize in this, is that you can write a checklist, and, by doing the 13 things on the checklist, you can satisfy pretty much every state that has a data breach notification law. 
Europe’s and California’s new laws have changed the landscape in Washington.
The action is on hold for the moment, but it’s sure to heat up in the year ahead.