Greetings from Portsmouth, New Hampshire!
"As California goes, so goes the nation." It's a common refrain regarding the state's influence on policymaking at the state and federal levels. However, the translation from California to Washington, D.C., on privacy legislation is becoming increasingly hard to imagine.
With Gov. Gavin Newsom, D-Calif., signing the Delete Act into law this week, the Golden State added yet another regulatory tool to further regulate privacy abuses. Data broker registration, a single-click mechanism for opt-outs from all broker collection and deletion request response requirements raise the bar for industry accountability.
But the finalization of the Delete Act sets the stage for a potential patchwork of similar legislation across states while U.S. Congress allows the privacy goalposts to push further and further away.
States won't think twice about raising lookalike bills in future legislative sessions to match California's Delete Act. Look no further than the proliferation of state legislative activity to match or in some fashion mimic the California Consumer Privacy Act and more recently the California Age-Appropriate Design Code Act.
Eleven states have passed comprehensive privacy laws in response to the CCPA. A handful of states unsuccessfully pitched legislation comparable to the CAADCA in 2023 and at least two states, Maryland and Minnesota, vowed to bring back their California copycat proposals in 2024.
These legislative trends are sensible and expected, especially when a unified federal standard isn't on the horizon.
As is the case with comprehensive privacy regulation, federal lawmakers have proposals out there that do exactly what the Delete Act does. The proposed Data Elimination and Limiting Extensive Tracking and Exchange Act — yes, that's the DELETE Act — introduced to the U.S. Senate in June calls for data broker registration and a centralized deletion request system.
Any sort of traction for the federal version of the Delete Act is at the mercy of two familiar stumbling blocks seen time and time again in the comprehensive law discussion: political theatre and a stakeholder tug-of-war.
A more nuanced issue that arises in federal debates over any sort of privacy bill is a competent privacy-focused regulator.
There are signs some U.S. lawmakers lack confidence in the capabilities of the Federal Trade Commission. Sen. Kirsten Gillibrand, D-N.Y., previously proposed a bill to establish a federal privacy regulator with more focused personnel and funding than the FTC may not have while balancing other duties.
On the other hand, California ensured privacy matters will be handled competently and singularly with the creation of the California Privacy Protection Agency.
The clout of the CPPA is a work in progress as the agency continues to fully stand itself up while taking on so many responsibilities at once — with interim limitations. That's not to say they are ill-equipped to handle the workload. The fruits of the agency's labor will eventually come.
There is a potential "red flag" with California's growing privacy proficiency, which is the state itself will resist federal standards. We have already seen this play out when California threw cold water on Congress' proposed American Data Privacy and Protection Act — a bill that hasn't truly seen the light of day since fall 2022 due in large part to California's dissent.
The opposition from California's state and federal officials left no wiggle room on potential CCPA diversions that might lead to an ADPPA compromise. Their argument focused on the CCPA being the floor for a federal law or else Californians would ultimately lose protections with the CCPA preempted by a weaker statute.
So does the Delete Act just further embolden California and its stake in what privacy should look like in the U.S.? There's certainly a case to be made, and Congress is losing ground to prove otherwise while California's legislative gears keep turning.