California has a history of attempting to use its position as a large state and large government purchaser to force its ideas on the rest of the nation. For example, the Golden State has tried to leverage its more stringent than the EPA vehicle emission standards onto the nation and, more recently, the state passed heavy handed regulation of the internet. Now, California wants to try again with consumer privacy regulation.
A rich San Francisco real estate developer with no expertise in privacy law used his wealth to force a ballot initiative on consumer privacy. Recognizing some of the flaws in the proposal and knowing legislation was easier to change than ballot initiative language, the California legislature passed the initiative language as law.
The new law, like the ballot initiative, is riddled with problems. Whole sections are vague or lack definitions. The plan likely cannot pass muster under the First Amendment and hence probably will be found unconstitutional. Meanwhile, as is typical with regulation, compliance costs will advantage existing big players while throttling small business and upstarts. And it applies to any website that can be viewed in California regardless of where the business is located, making the law an illegal power grab under other constitutional grounds.
One major challenge to addressing online privacy in a comprehensive law is that privacy means different things to different people. People often confuse cybersecurity (protection from unlawful use of electronic data) and online privacy (the ability to control information about you). Others are much more concerned about how the government is tracking them than whether a business does so to provide relevant ads, discounts or services. Some believe that even casual observation of a person’s actions should be protected by a sweeping law. Few appreciate that the internet was not designed to keep information restricted. In fact, the design of the internet is exactly contrary, being designed to facilitate information flows even under spectacularly difficult obstacles such as a nuclear war.
Consumers will be confused and poorly served if other states enact consumer data privacy laws that are in conflict with the California law. Because the California law applies to every website that can be viewed in California regardless of where a business is located, businesses could face multiple, conflicting privacy laws because of the interstate nature of ecommerce.
A successful privacy law would be a federal law that addresses these interstate issues. In the meantime, states should resist the urge to enact multiple, conflicting laws that will simply result in confusion for consumers and incoherence for businesses.