“name and shame” lists of patently insecure devices and their manufacturers.
In addition, the raft of legislature also amended some of the rough edges in the California Consumer Privacy Act of 2018 (CCPA). CCPA was a 50 shades of regulation lighter variant of the EU’s GDPR legislation. It was designed to let Californians know about what personal data was being collected about them, which companies were collecting it, and why it was collected. As with the GDPR, it allowed consumers to view their personal data in a “readily usable format,” request the deletion of personal files, keep their personal data from being resold. However, the law was seen as being both inconsistent in its data handling criteria and also watered down by interests maneuvering to protect their online business models. In particular, data brokers felt threatened by the law.
The amendment cleared some of this confusion up by restricting what would be considered personal information and making some exceptions for the data collection by businesses subject to other privacy regulations such as banks, insurance companies, and credit reporting agencies.
While many privacy advocates such as Electronic Frontier Foundation (EFF) are not enthralled by the new or amended laws, they are a start. As Richard S. Eisert, Partner at Davis & Gilbert LLP stated, “California continues to take the most active role of any state in regulating privacy and imposing obligations on businesses. With the upcoming January 2020 deadlines for the CCPA and the proposed IoT law, business should continue – or begin, if they have not already done so – their efforts to comply.”
The US Federal government – and an army of industry lobbyists – are worried by individual states moving to regulate portions of the internet. Having a patchwork quilt of regulations on data privacy and net neutrality would make it more difficult for businesses such as Google, ISPs, and data brokers to conduct their businesses. California is a special threat due to the state’s size and also its history of setting regulations that become a de facto standard across the USA, for example with automobile emissions.
In late September of 2018, the Senate Commerce Committee started with its hearings on consumer privacy. As the EFF has pointed out, the committee is only listening to the big boys — Amazon, Apple, AT&T, Charter Communications, Google, and Twitter—no one is there representing the consumer. In addition, two major industry groups (the Chamber of Commerce and the Internet Association) have called for the federal government to preempt state laws with federal ones.
The fear of the EFF is that the Federal government and the FCC are listening more closely to the opinions of businesses than consumers and that the move to create a Federal standard is an attempt to preempt states such as California from coming up with a stronger regulation on devices and user privacy on their own. As the EFF stated, “a uniform law is only a good alternative if it’s actually a good law—not a weak placeholder designed only to block something stronger.”