The Washington PostDemocracy Dies in Darkness

Opinion California’s privacy law was supposed to spur Congress to act. It flubbed instead.

(Jenny Kane/AP)

LAST YEAR was supposed to be the year of a federal privacy law. But Congress flubbed it, so the digital privacy law that seems likely to define 2020 is not coming from Washington.

The California Consumer Privacy Act (CCPA) went into effect last week, a year and a half after it passed in the summer of 2018. The looming of the local standard was supposed to spur Capitol Hill to do something. Instead, the Golden State, plus perhaps a few others whose policymakers are sick of waiting around, will define privacy law. That’s not an ideal situation.

The CCPA doesn’t affect only Facebook, Google and the firms most frequently assailed for what critics call “surveillance capitalism.” It affects cable-TV companies, phone providers, publications (including this one) and any old retailer that collects the personal information of 50,000 people or brings in revenue of $25 million per year. The act also probably won’t affect only the almost 40 million Americans who live in California but the rest of the nation, as well; some businesses have already said they will treat all consumers equally. That helps explain the emails about policy updates arriving in inboxes from coast to coast.

What will the effect be? California’s attorney general can’t start enforcing the law for at least six months, and the regulations from his office haven't been formalized. That means the contours of the newly afforded rights to access, correct, delete and opt out of the sale of data remain fuzzy. So far, firms have interpreted them in all sorts of ways. Some display a pop-up banner allowing users to free themselves from tracking for advertising purposes; others claim that selling ads against users’ information isn’t the same as selling users’ information. The CCPA also doesn’t generally place limits on the data companies can collect and keep in the first place. And the onus is on consumers to exercise the privileges they do have, so only time will tell how much life will really change for firms.

Washington state, too, is working on an ambitious privacy law as Washington, D.C., falls short. The state measure didn’t pass last year, but legislators are optimistic about a revised proposal. Nevada has passed a measure somewhat narrower than California’s rules, and New York is going even bigger with a bill that would give companies obligations as “data fiduciaries.”

Firms may end up grappling with a hodgepodge of regulations, but even taken together these statutes won’t be able to provide what only Congress could: a comprehensive law by those who represent the whole country, for the whole country. That should give federal legislators an incentive. Though its track record doesn't offer much reason for optimism, Congress should do in 2020 what it promised to do in 2019.

Read more:

The Post’s View: Congress agrees data privacy is a problem. So where’s the bill?

The Post’s View: Facebook’s self-proclaimed pivot to privacy is off to a bad start

The Post’s View: Should Congress override state privacy rules? Not so fast.

The Post’s View: Our privacy regime is broken. Congress needs to create new norms for a digital age.

Mark Zuckerberg: The Internet needs new rules. Let’s start in these four areas.

Woodrow Hartzog and Neil Richards: It’s time to try something different on Internet privacy