• Reluctant US Congress sits on the fence and does nothing… 
• …as 14 states introduce their own data privacy and transparency legislation
• California's CCPA is the base model for all
• Washington DC will eventually be forced to enact Federal legislation

In just the same way that banks routinely refuse publicly to discuss the growing incidence of online or mobile financial fraud and data breaches and will not acknowledge that compromised IT systems and hacking are common and intractable problems, businesses whose life-blood is selling consumer data won't talk about what they hold and how they use it until and unless compelled to do so by business exigency or the law.

Until they are forced to that point they wriggle and prevaricate and apply complex regimes of bureaucratic mazes and hurdles designed to baffle the ordinary consumer and stop or seriously delay them from knowing about their own data and taking what control they can over it.

As TelecomTV reported yesterday, the new California Consumer Privacy Act (CCPA) became state law on January 1, 2020. The legislation places far-reaching new transparency and data privacy obligations on all businesses with any form of online presence that have access to the personal data of 50,000 individuals or more or generate revenues of US$25 million or above per annum. 

Businesses falling within those parameters, be they the great white sharks such as Google, Facebook, Twitter, Uber and others of their Carcharodon ilk or tiddlers that are the online equivalents of local "Mom and Pop" stores must allow individual Californians to exercise their rights under the CCPA to view, review, delete and even completely prohibit the sale and brokerage of any and all personal details that any online company is holding. 

The battleground is now becoming apparent with small companies keeping their heads down, staying schtum and hoping they will remain below enforcement radar that will be focused far above them. Meanwhile whilst the giants will set expensive lawyers to argue the niceties of compliance with data privacy and protection laws and regulations and come up with a variety of different interpretations of them to maintain the status quo (and their bottom lines) for as long as possible.

The CCPA is an ostensibly simple and straightforward law that covers a very complex set of issues subject to different interpretations within California itself but that also have national implications because the attempts by the US authorities to introduce federal data privacy, transparency and control laws that would be applicable nationwide have, time and again, been kicked into the long grass by a partisan Congress.

Thus the CCPA is regarded as a precedent that could have a profound effect across all US states. For example, Microsoft, has already announced that it will comply with the new law but will apply all and any changes it makes not only in California but also to all other users across the entirety of the US because it expects that something similar to the CCPA will become law in other states in the near future. That's one of the first cracks in the wall.

Meanwhile, Facebook, stepping nimbly out of the path of the oncoming juggernaut says, "We do not sell people's data". However it does sell tracking software to countless online business and organisations that they then use to identify users for targeted advertising. Facebook says it is "encouraging" users of its tracking solutions that “to reach their own decisions on how to best comply with the law.” Thank you. We've done our bit. Nothing more to see here. Same old story - "Move along please, money to count!"

At last! The legal right to access, review, rectify and even delete personal information 

Given that Washington DC is apparently washing its hands of any responsibility for the introduction of federal data privacy laws, for the time being anyway, it falls to individual states to write and enact their own. Hawaii, Illinois, Louisiana, Maine, Maryland, Massachusetts, Minnesota,  New Jersey, New York, North Dakota, Rhode Island, Pennsylvania, Texas and Washington State are among those writing or introducing legislation that in some ways replicate or rely on component parts of the California model, but, to date, Nevada and Maine are the only other states that have actually enacted privacy laws.

Although there are differences of detail between the proposals of the various states listed above there are also many similar policy provisions that form the foundation of the new laws, the main one being the inalienable right of access of individual users to personal information collected.

This is bolstered by the further right of a consumer to access from a business or a data controller the information collected or categories of information collected about the consumer. That said, some states are debating whether this second right will apply  only if and when a business sells information to a third party.

Other common consumer rights being debated are the right of access to personal information shared with third parties and the right for a user to change and rectify incorrect or outdated personal information. More importantly, pressure is mounting for users to be endowed with the right to delete personal data. This is anathema to businesses opposing the proposals.

Further common rights are that an individual should be legally entitled to restrict an online operator's ability to process personal information about that consumer and that the user should have the right to demand that personal information held about him or her must be disclosed in a common file format.

Other proposed rights are that of opting-out of the sale of personal information to third parties and to prohibit decisions about manipulating and selling-on a consumer's personal information being made only by an automated algorithmic process with no human input. To give legislation a proper bite states are also proposing that consumers will have the right to sue businesses for civil damages in the case of violations of statute. Businesses will also be obliged to notify both users and regulators of any and all instances the breaching of privacy or security.

As Xavier Becerra, the Attorney General of California, says, "Henceforth businesses will have to treat information as belonging to, owned by and controlled by the consumer rather than data that, because it is  in possession of the company, belongs to the company.”

It looks as though the boot will soon be on the other foot as individual consumers at long last take legal command of their personal data and become able to sue for substantial redress if and when the businesses that make their money from it are found to be acting in breach of the law. 

Many of those companies have had a generation of freebooting exploitation of private data with scarcely being subject to any regulations or policing of their often highly questionable behaviour and have made fortunes out of it. Change and a redistribution of powers is long overdue and no one will have much sympathy for arrogant and hitherto untouchable companies who will squeal and writhe as they find it that much harder to make such massive profits in future. Good on California!