Expect California’s data privacy to laws to become the governing model

A hodge-podge: That's the current U.S. data privacy regime. Long after the EU, Canada and most other developed nations -- as well as many states -- have enacted strong regulatory frameworks for handling consumer data, the folks in D.C. are finally ready to take the issue seriously. It's about time. Headlines about Cambridge Analytica, Uber, Google, Equifax and others have exposed the dark underbelly of data privacy.

But not so fast: As urgent as the need is, Congress is a house divided. Everyone agrees that legislation is needed, but there is disagreement on which laws should prevail.

A 56-page Government Accountability Office report requested by the House Energy and Commerce Committee urges Congress to consider "developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment." The report cites a 2017 finding by the U.S. Census Bureau that 78 percent of Americans ages three and older used the internet and a 2018 Pew Research Center finding that 69 percent of American adults report use of social media platforms such as Facebook.

Federal laws are a patchwork addressing the use and protection of personal information for specific purposes, such as medical information (the Health Insurance Portability and Accountability Act), financial information (the Financial Services Modernization Act) and the Federal Trade Commission's Unfair and Deceptive Practices Act. States have begun to plug gaping holes in the fabric of internet privacy, but there is no comprehensive law governing the collection, use, and sale or other disclosure of personal information across the United States.

It's no secret that advertising is the backbone of the open web. Companies gain revenue by targeting ads to selected users, monitoring their clicks, searches, and reading habits as they move around the internet. Cookies track user interfaces such as accounts and logins, multi-page forms, and online shopping carts. They allow sites to store unique IDs in user browsers, enabling companies to track visits to multiple sites and construct a detailed overview of users' activity. Supercookies and fingerprints are used to follow people who try to delete cookies, and user IDs from social networks and similar sites provide ways to identify the people being tracked. The privacy implications are significant, but little has been done to regulate how marketers gather data on online users.

In 2016, the European Union enacted the General Data Protection Regulation and the EU Charter of Fundamental Rights, unifying data protection laws with the intention of strengthening the privacy rights of all individuals across the EU. The rulings hold companies accountable for how they request, store and provide access to personal data and require that individual information be kept secret and be fairly and lawfully processed for limited purposes in accordance with individuals' rights.

In 2018 California lawmakers passed the California Consumer Privacy Act, which will entitle Californians to learn what companies know about them and stop those companies from collecting or selling that information. The law takes effect in 2020. Other states, such as New York and Washington, are considering similar measures.

Last fall, multiple federal privacy bills were introduced in Congress, including the Data Care Act introduced by 15 U.S. Senators, the Consumer Data Protection Act, introduced by Oregon Sen. Ron Wyden, and the Information Transparency and Personal Data Control Act, introduced by Rep. Suzan DelBene of Washington.

Most Democrats advocate letting state laws coexist with federal laws. Jackie Speier, whose 14th congressional district includes San Francisco, told Politico that she "would look askance at any measure that tried to pre-empt" California's law. "I would hope that all 53 members [of California's House delegation] would oppose it."

Republican legislators and technology companies, on the other hand, argue that a single federal system should govern. Senator Marco Rubio of Florida has introduced the American Data Dissemination Act, which would compel the FTC to draft up new data privacy rules for congressional approval. In an op-ed, he wrote that "a state-by-state patchwork of laws is simply not an effective means of dealing with an issue of this magnitude."

If Congress approves a dual system of regulation, states like California will be free to enforce laws that are stricter than the federal standard. If the federal law becomes exclusive, the standard adopted by Congress must be at least as stringent as the EU's GDPR. The law should mandate tools to protect online users' data, such as Do Not Track technology, which keeps users' online behavior from being followed across the Internet by behavioral advertisers, analytics companies, and social media sites. Anything less than this will only perpetuate the roaches lurking in the dark underbelly of data privacy.

If state and federal laws are ultimately allowed to coexist, it is a good bet that California's laws will become the de facto standard for the nation. Just as happened with automobile emissions standards, major players will find it unwieldy and counterproductive to implement and adhere to different sets of standards. Assuming California's laws are the most stringent -- as is true for automobile emissions -- expect it to become the governing model. California is prescient when it comes to issues that impact its residents and has been at the forefront of many legal trends. Data privacy should be no different.