DON'T LOSE ACCESS:
Your IP access to ForeignPolicy.com will expire on June 15.
To ensure uninterrupted reading, please contact Rachel Mines, sales director, at firstname.lastname@example.org.
As the state’s new digital consumer protection act shows, with global governance in retreat, the search for regulatory backdoors is on.
On Jan. 1, the new California Consumer Privacy Act (CCPA) went into effect, with consequences felt far beyond the state’s borders. Unlike in neighboring Las Vegas, what happens in California rarely stays in California, especially when it comes to business regulations.
The CCPA is no exception. It is the U.S. beachhead of the 2018 European Union General Data Protection Regulation (GDPR), the previous effort by the EU to regulate aspects of how corporations handle personal data. By dint of California’s size—it is the largest internal market in the United States and the fifth-largest economy in the world—and influence in the tech sector—the state is home to Facebook, Google, Yahoo, Cisco, and many others—the impact of the CCPA on the rest of the world could be far larger than its European cousin.
Indeed, the CCPA has already lit a fire under the U.S. Congress, where a rare bipartisan push toward federal data protection legislation is underway. The effort is aimed at forestalling a state-by-state patchwork of law and, for the Republican Party at least, denying a victory to the reviled activist legislators of California.
The reversal in recent years of the decadeslong trend toward a more coordinated global economic, trade, and regulatory environment has led regulators in the United States and abroad to seek new ways around populist and protectionist governments. Stateside, California has been a perfect Trojan horse.
In other years, the EU’s enactment of the GDPR would have spurred congressional action or trans-Atlantic talks to harmonize the legal codes of the world’s two largest economic entities.
The GDPR levies fines of up to 4 percent of annual revenue on companies doing business in Europe that fail to protect the personal data and privacy of EU citizens. The rule has already cost companies globally over $100 million in legal and other fees, including the rewiring of digital business plans and platforms; the hiring of chief data officers, a relatively new post necessitated by the law; and other compliance measures. Google was quickly hit with a $57 million fine in 2019. The new legislation’s impact will be even greater for American firms than their European cousins.
But under the current administration, it is nearly impossible to enact any new rules that could be portrayed as ceding sovereignty in legal or regulatory matters. In turn, some Democrat-led states, including New York and California, have tried to take up the cause on their own. Their behavior is not unprecedented. These states have long tried to set the tone for certain business and policy practices (New York on financial regulation and anti-corruption legislation, California and others on environmental and agricultural policy). And, in fact, there is a deep history of all sorts of states taking the lead on issues where Washington can’t reach consensus.
In the 1980s, for example, the states of New England banded together to fight the acid rain that resulted from coal-burning power plants in the Midwest. Massachusetts eventually sued the Environmental Protection Agency (EPA) to force it to enforce the 1963 Clean Air Act and won its case in the Supreme Court in 2007.
When the Obama administration signed the Iran nuclear deal in 2015, many states, Texas in particular, led the charge against the agreement by forcing locally based firms and pension funds to divest from companies doing business in Iran despite pledges in the deal to end U.S. economic sanctions.
New York Gov. Andrew Cuomo tried to spark a similar revolt, this time against fracking, by banning the technique in his state in 2014,with hopes that others would follow. But other states with shale formations—Texas, Pennsylvania, North Dakota, Colorado, and others—found the license fees and tax revenue preferable, and they show no signs of following suit.
It is in California where such legislative maneuvering has had the greatest impact. California’s 2007 decision to set higher fuel efficiency standards than the rest of the United States—a move affirmed by the EPA in 2009 when it issued an exemption to allow the state to exceed federal standards—defeated powerful opposition from the energy and auto industries. It forced a rapid increase, again due to the state’s size, in the average miles per gallon of new global vehicles.
The Trump administration recently revoked California’s EPA exemption, but it matters little. All along, the auto industry’s main objections to California’s higher standard revolved around the costs involved in retooling and redesigning existing fleets. They’re no more interested in retooling again for lower standards, although subsequent improvements in new U.S. cars may slow if Trump’s reversal is not itself reversed by a future administration.
So what, exactly, will the CCPA bring? Generally, for anyone doing business online, from Google and Facebook down to small shop with a simple email marketing account, the CCPA will matter, even if the company has already spent significantly to comply with the GDPR.
The California Department of Justice warns that even GDPR-complaint companies will have additional obligations under the CCPA. For instance, the GDPR requires all firms to do an audit of their data policies to create records of what information they are retaining. Under the CCPA, there is an entirely different requirement for data mapping, which will mean tweaks to any current GDPR-compliant practices.
Both the CCPA and the GDPR require companies to respond to individual requests for access to personal information, including demands that such information be erased (part of the EU’s assertion of a “right to be forgotten”). But the CCPA defines “personal data” somewhat differently than the GDPR. The California Department of Justice advisory notes that “businesses may need to review and reconcile the different definitions of personal information and applicable rules on verification of consumer requests.”
The bottom line: lots more work (and more fees) for corporate legal teams—and that’s before you get sued by the state regulatory body or through a consumer class action group.
For multinationals, the GDPR has not been the existential blow its harshest critics predicted, but it has added complications and costs to operating in the big European market. The Harvard Business Review notes that “these new powers come with new responsibilities and new costs for users, not least of which are ballooning budgets for government data management and enforcement bureaucracies worldwide.” No matter how you slice that, higher taxes go hand in hand with the costs corporations bear to comply with the law, with those costs invariably passed along to consumers.
Meanwhile, the new law has already stirred unusual activity among the typically inert mass of humanity Americans refer to as Congress. Late last year, four Democratic senators, including Maria Cantwell, the top Democrat on the Senate Commerce, Science, and Transportation Committee, introduced a new national privacy bill: the Consumer Online Privacy Rights Act. The bill aims to provide consumers with a digital version of Miranda rights and, for companies that don’t properly adjust their policies, set up steep penalties to encourage compliance.
Republicans countered with their own bill, sponsored by Sen. Roger Wicker of Mississippi, which raises the bar for consumer consent. Rather than rely on legalistic disclosures like Cantwell’s version, the Republican alternative would effectively forbid the collection or transfer of personal data unless consumers specifically opt in to allow it. Meanwhile, a proposal in the House, sponsored by two California Democratic representatives, Anna Eshoo and Zoe Lofgren, would create an independent federal agency to enforce privacy protections and investigate abuses.
It remains unclear whether such politically fraught legislation can pass in a presidential election year—or whether Trump would sign it if it did. He has shown little love for initiatives born in California and has lashed out frequently at Big Tech.
Whatever becomes of the CCPA and the current proposals in Congress, it is clear that global regulators and other stewards of good governance view the Golden State as a golden opportunity. A recent move among European central bankers to create green financing standards has already received pledges of related action from California and other green-tinted U.S. states.
California is also leading, with New York, in seeking to create standards on so-called ESG data (Environment, Social, and Governance) that corporations release to financial data firms like Bloomberg and Thomson Reuters to burnish their green credentials. The current unregulated system allows companies to pick and choose what they report to greenwash their reputations. Environmentalists and activists on corporate transparency see little hope that the Trump administration would push forward on such initiatives, making California once again the promised land.