Why we need a federal data privacy law – and how CCPA sets the pace

Chairman of Californians for Consumer Privacy Alastair MacTaggart testifies about data privacy during a hearing before the Senate Judiciary Committee March 12, 2019 on Capitol Hill in Washington, D.C. Today’s columnist, Akamai’s Steve Winterfeld, updates readers on the progress of the California data privacy law and pushes for federal privacy legis...

The country needs to pass federal privacy legislation to establish a national standard for individual rights. Today, too many state laws exist, creating confusion and duplication. We need to create a national standard that would apply to all businesses and organizations.

By not having a national standard, we miss the opportunity to establish a consistent comprehensive framework for privacy in the United States. Without a federal law states have passed their own laws. Today, California, Nevada and Maine have privacy laws, but many other states have bills working their way through legislatures. Many of these state efforts are based in part on the California Consumer Privacy Act (CCPA), which went into effect January 1, 2020.

The path to a formal privacy law in California took several years. In 2003, the state passed S.B. 1386, which requires any agency, person or business that does business in California to disclose any breach of security that resulted in personally identifiable information (PII) exposure. By 2018, California went from mandating breach reporting to regulating the processing and use of personal information. While July 2020 was the actual operational enforcement start for the CCPA, many are already looking to see what’s next.

CCPA was originally a grassroots ballot measure spearheaded by Alastair MacTaggart. Today, MacTaggart has joined with Californians for Consumer Privacy to push to make the law stronger. The updated proposal -- the California Privacy Rights Act (CPRA) -- will be on the ballot in the election this November. Here’s a snapshot of what may change, the proposed law:   

  • Creates a new sensitive personal information category with rights that let residents stop businesses from using such information, including health or financial data, or knowing and selling personal location without knowledge or consent.
  • Triples CCPA fines for collecting and selling children’s private information. It would also require opt-in consent to sell to consumers under the age of 16. Children ages 14 to 16 can opt-in themselves, while children 13 and under need parental approval.
  • Establishes a new state agency to protect privacy rights, the California Privacy Protection Agency.

The Electronic Frontier Foundation, as part of a coalition of privacy advocates, has filed comments about its concerns with the California Attorney General. The EFF says the existing CCPA doesn’t recognize Do Not Track practices (which lets users opt-out browser tracking), and further objects to the “removal” by the Attorney General of certain specific types of personal identifiers from the definition of personal information. Many are also concerned about the high costs associated with compliance with the CCPA as it stands today. An assessment conducted for the California Attorney General estimates the total cost of implementing the law at between $466 million and $16.5 billion dollars.

Akamai conducted a survey of 120 leaders about CCPA in May 2020 to develop a view on how the industry views CCPA. One question we asked was: “How do you think the government could strengthen existing legislation around CCPA and other US privacy laws?” The results were fairly evenly split: 57 percent said strengthen state laws; 49 percent checked creating a continued education program for data and local officials for data privacy compliance; another 49 percent said create a federal data privacy law; and 48 percent recommended creating a coalition of industry experts to continuously tweak and improve the law.

There are a number of groups trying to drive different agendas for privacy laws/regulations. They are all trying to get the right balance of providing a positive experience and appropriate use. Personally, I want help picking what to watch or the next book to buy. I fully understand that the capabilities/applications I get for free are using my information to make money to deliver that service. However, I expect the company to store accurate information and use it in the way I intended. 

In any event, the CCPA will likely serve as a model for other states, so many companies and other states are carefully watching how it develops. Sporadic state efforts have also generated increased support for national privacy legislation to avoid the compliance patchwork problem created by disparate laws. With the number of groups expressing concern about the existing CCPA, the uncertainty around the meaning of some of the language, and a ballot measure seeking to strengthen the law, we can expect that the CCPA will change and we’ll see continued activity around consumer privacy for many years.

CCPA has already provided insights that Congress can use to enhance a federal law. But federal privacy legislation needs to be tailored to suit a full range of business models, including B2B. For example, providers such as Akamai need to have the flexibility to use threat information from one customer to inform how we protect all other customers so we can provide increased resilience to cybersecurity threats.

In the past few years, we have unfortunately seen too many instances of companies not being the best custodians of their customers’ data and privacy. Federal privacy legislation would send a clear signal that the U.S. has committed to strong privacy rights and that companies should and can be held accountable for ensuring that the data they collect about their customers are only used as per the wishes of their customers and safeguarded accordingly. Finally, given the cross-border nature of the Internet, a consistent federal framework will deliver more comprehensive protection for all Americans.

Steve Winterfeld, Advisory CISO, Akamai Technologies

Steve Winterfeld

Steve Winterfeld is Akamai’s Advisory CISO. He has strong background in building operational security programs that are compliant with industry regulations. Before joining the team, he served as CISO for Nordstrom Bank, Managing Director of Incident Response and Threat Intelligence at Charles Schwab and Senior Technical Director Cybersecurity & Group CTO at Northrop Grumman. Steve focuses on collaborating with Akamai’s customers to make sure they are successful in defending themselves and their customers. He also helps determine where Akamai should be focusing its security platform’s capabilities. Steve has published a book on Cyber Warfare and holds CISSP, ITIL and PMP certifications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.