California’s consumer data privacy law will be the default privacy standard across the U.S., at least for the coming year, and that’s upsetting the Washington, D.C. crowd. A panel discussion on privacy legislation at the Mobile World Congress trade show in Los Angeles last week featured three industry lobbyists, the head of an industry front organisation and a Federal Trade Commission lawyer. All of them are based in D.C., and shared Beltway-centric advice on who should be calling the shots.
The panel was dismissive of state lawmakers’ ability to deal with the complexities of issues that lobbyists and federal regulators have been dancing with since at least 2012, when the FTC published a lengthy set of consumer privacy protection recommendations. Michelle Rosenthal, a former FTC lawyer who left through D.C.’s revolving door and is now a staff lobbyist for T-Mobile, worked on that report and praised its sophistication and subtlety – they even used a whiteboard!
On the other hand, CCPA “was drafted very quickly and passed very quickly”, Rosenthal said. “A lot of the state legislation – which I won’t get into – you know, unfortunately happened so quickly that that process isn’t a thing”.
The discussion would have been better informed if organisers invited someone from, say, California or Nevada who could explain what their thing is. Electronic privacy has long been a policy issue in California, but Sacramento lawmakers didn’t “jump in” until federal regulators tore up their own rules. Even so, the first attempt to pass a Californian privacy law was shot down by the same big telecoms and tech companies that have been so helpful in D.C.
The panel members offered a not-so-surprising consensus on three points:
- The federal government should set consumer privacy rules because everything will be complicated and everyone will be confused if state legislatures do it.
- Congress isn’t going to do anything about it this year, and next year isn’t looking good either.
- The California Consumer Privacy Act (CCPA), which takes effect in January, will be the de facto privacy rulebook for the rest of the country, at least until something even tougher comes along. Which could easily happen, because other states, including Nevada and Maine, are in the game now.
CCPA “in effect, could become, sort of, the law of the land as it becomes implemented”, said Melanie Tiano, privacy and cybersecurity director for CTIA, the mobile industry’s D.C. lobbying group (and a co-sponsor of the show).
“Firms just ratchet up to the highest standard, and that’s sort of the general rule of thumb, and that seems manageable”, said Jared Ho, an FTC privacy attorney. “It seems like one of the greatest concerns is going to be potential conflict”.