The California Consumer Privacy Act (CCPA) has been in force since January 1. I’ve written previously addressing questions about compliance and how many companies differ on how they classify themselves in regards to being sellers of data. Even major tech companies interpret the law differently. But one thing is not in question: The fact that while present issues surrounding the law are still being sorted out, the future of CCPA is already being discussed. California’s lead in privacy in the U.S. is widening, and powerful EU data privacy regulators are taking note.
Late last year Alastair Mactaggart, the architect of the CCPA, introduced a new initiative for the November 2020 California ballot that, if passed, would significantly strengthen the CCPA and create a new enforcement agency known as the California Privacy Protection Agency. This is interesting because this new initiative was introduced before the current version of CCPA even went into force.
In addition to establishing a new enforcement authority, the updated law would also include "new rights around the use and sale of sensitive personal information," increase protection for children by "tripling CCPA's fines" for children's privacy violations, and require companies to receive opt-in consent before collecting the personal information of consumers under the age of 16.
In speaking about his new initiative, Mactaggart indicated that raising the bar for California actually may raise the bar for the entire U.S. in the event its fabled federal privacy law becomes a reality. Mactaggart said that conversations in Congress regarding a federal law have included calls for “nothing weaker than California,” underscoring the importance of his new initiative as it relates to the U.S. as a whole.
California has even piqued the interest of EU regulators, who recently discussed the possibility that, at least in theory, California could achieve adequacy for data transfers under GDPR rules. Adequacy has previously been granted to entire countries, Crown Dependencies, territories of EU member states, or frameworks such as Privacy Shield. We have never seen it granted to a single state within a country. Hopefully this possibility will encourage the rest of the U.S. to get on board with a strong GDPR-like federal privacy law. One that is powerful enough to satisfy the EU and protect citizens on both sides of the Atlantic.
What ‘Adequacy’ Means Under the GDPR
What does “adequacy” mean in reference to the EU’s privacy regime? Under the GDPR and its predecessor, the Data Protection Directive, the EU has stringent restrictions regarding the transfer of EU citizens' personal data to countries outside of the European Economic Area. Personal data can, however, flow freely to countries that are officially recognized as adequate by the European Commission.
In order to be deemed adequate, a country must have data privacy protections in place that are substantially similar to protections provided in the EU. To become official, an adequacy decision must be adopted by the European Commission after a lengthy, multi-stage process that also involves the European Data Protection Board and the EU Parliament. The U.S. is not currently considered adequate, and therefore it’s not legal to transfer data to the U.S. without additional protections. For now, the only U.S.-specific data transfer mechanism is known as the Privacy Shield framework which applies only to eligible companies who self-certify under the framework.
A major criticism of Privacy Shield is that it fails to safeguard EU data from U.S. intelligence agencies. Privacy Shield just passed its third “health check,” but the framework’s validity is currently being challenged before European courts.
Can an EU-California Data Privacy Deal Get Done?
Privacy experts are now debating whether or not it’s possible for the EU to make a data privacy agreement with a single U.S. state. In theory, it is possible based on Article 45 of the GDPR which explicitly permits an adequacy decision for a “territory or one or more specified sectors within” a country, such as a state. In its current form however, California and its CCPA are unlikely to meet the minimum threshold required to achieve such a decision.
Obstacles to California being accepted include:
- Despite being the strongest privacy law in the U.S., in its current form CCPA falls short of the sweeping consent and opt-out controls afforded to data subjects under the GDPR.
- CCPA is enforced by the California Attorney General, rather than an independent, dedicated supervisory authority.
- CCPA only protects the personal information of California residents.
- California is still subject to U.S. federal law.
If passed, Mactaggart’s new initiative would appear to address some of the issues noted above and would bring California closer to being a legitimate candidate for adequacy. The reality, however, is that California still has a long way to go before adequacy becomes a real possibility.
For now, the fact that such a scenario is even being discussed shows just how relevant California is to privacy on the global stage, which will hopefully lead to more pressure on federal lawmakers to get in line with what U.S. citizens and the world community are increasingly demanding: comprehensive privacy protection for all. With future changes in California possible and more states following suit, it could be quite an interesting regulatory ride.
A version of this article was originally published on CMSWire.