You might expect that the home of the world’s top tech companies would pass policies that are amenable to its most high-profile economic engine. But California is known for mixing things up, and the recent expansive privacy bill just signed into law after only a few days of debate is a development far out of left field indeed.
Called the California Consumer Privacy Act (CCPA), the new rules aim to expand consumer rights over the use of their data by requiring tech companies to disclose data use and collection, delete data records on demand, and allow users to opt-out of data-reliant processes. California’s new law is similar in spirit and text to the EU’s recent foray into data policy called the General Data Protection Regulation (GDPR), which went into effect in late May. Both laws attempt to comprehensively regulate data handling by firms in Europe and across the globe.
But the unintended consequences of these pleasant-sounding goals may come with a big price tag. California’s CCPA and the EU’s GDPR could put the squeeze on the global internet and have dramatic effects on the digital ecosystem and market dynamics.
While consumers obviously care about privacy, they also care about choice, convenience, and low-cost services. The modern data-driven economy has given consumers access to an unparalleled cornucopia of information and services, and it is remarkable how much of that content and how many of those services are offered to the public at no charge to them. That’s a real benefit to them and the economy as a whole.
But if you take all the data out of the Data Economy, you won’t have much of an economy left. That’s the problem with what California and Europe are doing.
It makes a bit more sense for the EU to pursue this kind of path. The continent’s heavy-handed data regulations have largely wiped out most home-grown digital innovation and competition. Thus, the costs the GDPR doles out are borne largely by firms outside of its borders; a sort of tariff or trade barrier on foreign interests that many European policymakers have grown to resent.
California’s move to drop this “privacy bomb” on the economy and regulate their own innovators is more problematic and perplexing. It is a kind of “own goal” that will hurt the state of California and the United States more broadly.
Like the GDPR, the CCPA is a horrible combination of vague and broad. Consider the new liability regime the California law creates and the costs it will likely entail. According to the legal text, any “business that collects a consumer’s personal information” in the state of California—basically, any California business with a website—is subject to fines of up to $750 for a security incident. No consumer harm need be proven, and these damages accumulate “per consumer per incident.” As one critic noted, these kinds of incidents can quickly snowball into a small fortune of remedial fees. Large firms can begrudgingly stomach the costs, but your local “Mom and Pop” with a web presence cannot.
Consumers are also hurt by the changes. The text prohibits a business from “[discriminating] against a consumer” because they opted out of data collection or demanded that the business delete their data. And what counts as “discrimination”? Things like denying access to the platform, charging for access, or even offering benefits to consumers that do want to participate in data programs. This could severely limit the future of customer rewards programs. Furthermore, it cuts off an alternative business model—namely, offering paid tiers for ad-free experiences—that could allow businesses to maintain profitability in a post-CCPA world.
The law is the first of its kind in the United States. The current law was hastily passed in part to head off an alternative voter referendum that would have been even more onerous. So there is a popular appetite for regulation in California, even though such policies could effectively kill the goose that lays the golden state’s eggs. Previously, data use and notice regulations were promulgated on a state-by-state basis, and they tended to be fairly light-touch in nature. The Federal Trade Commission (FTC) also has jurisdiction over acts of data negligence, but its actions are generally remedial rather than precautionary.
Hardline data privacy activists hope that California’s new law may serve to be a model for the rest of the country; as one of the chief promoters of the legislation put it at a press conference, “if it happened here, it will happen in the rest of the country.” This could happen even if other states do not issue their own strict data laws. Because California is such a large state, the regulations that it passes often effectively apply to the nation as a whole.
The CCPA will likely have a similar regulatory spillover effect, and people in other jurisdictions will have no electoral say in the matter. Experts have already warned that the law “will upend the operations of not only technology companies, but nearly any company that processes data of California residents (the vast majority of US companies).” Privacy compliance experts have already estimated that California’s regulations “will apply to more than 500,000 US companies, the vast majority of which are small- to medium-sized enterprises.” This regulatory spillover also explains why the EU data rules ended up affecting users far beyond its borders, and internet surfers across the globe had to abide the rising tide of privacy emails and consent requests wrought by the GDPR.
Tech businesses are understandably lobbying against the California law and hope to significantly curtail its negative consequences before the rules officially go into effect in 2020. Fortunately, there is a lot of time for lawmakers to correct some of the poorly-considered passages that were so quickly forced into law. Still, it’s always harder to change a law after it is established than take the time to get it right the first time around.
While privacy hardliners hope that states across the country may follow California’s lead, opponents of these data mandates may attempt to go one level further: federal preemption. As the economic fallout from the GDPR becomes more apparent, the rhetorical ammunition against it will only grow. It’s hard to say whether or not the current text of the CCPA will actually make it to the 2020 launch date, but it’s a good bet that the outcome of this last-minute California privacy law will have a major impact on the nation as a whole.
We shouldn’t be surprised if, as a result of California and Europe’s internet squeeze, digital innovators simply “pass these costs on to consumers either by erecting paywalls or forcing users to view more ads.” Or, worse yet, there may simply be fewer digital innovations and innovators to choose from going forward. As always, there is no such thing as a free lunch.
Photo credit: Rich Pedroncelli/AP/Shutterstock