On June 28, California’s governor signed what is known as the California Consumer Privacy Act of 2018, thereby approving the most aggressive consumer data-rights bill ever to hit the United States.
Drafted, passed and signed into law in roughly two weeks, the CCPA reads exactly like you would expect: choppy, inconsistent and sometimes unintelligible. Assumed to be the better of two options, CCPA was passed to avoid an arguably more burdensome ballot initiative threatened by Alistair McTaggart, a California real estate mogul turned privacy advocate. Nevertheless, through its stilted text comes a comprehensive set of privacy rights—some of which are arguably good for consumers—but all of which suggest potentially devastating obligations for many industries.
CCPA is broad and applies to any company that might hold personal information about any California resident. But the most problematic provision for companies will likely be the enforcement authority, which extends to private rights of action that can be brought by any California resident whose data might have suffered a data breach. That right is paired with a statutory damages clause. This means no actual harm need be demonstrated. One need only show that the breach occurred and included the plaintiff’s data. This creates the potential that massive class actions could be brought against any company for a breach of information as benign as an IP address.
While the CCPA targets the protection of personal information of California residents only, the law will have far greater impact in two material ways.
First, faced with segregating operations to enable California residents to be treated differently than everyone else in the United States, some companies (perhaps a majority) will elect to apply much of CCPA across all domestic operations. Second, many believe other states will quickly follow California to create and enforce more stringent privacy laws.
We have done this to ourselves. Collectively. Societally. Our willingness to permit unchecked surveillance and unaccountable data collection reflects the blinders we’ve worn related to data abuse by corporations.
The CCPA isn’t a whistle signaling the start of a new game. CCPA reflects the frustration of a highly technically literate population that has determined it had no other way to capture the attention of multinational corporations. It will force businesses to invest in the construction of real data strategies built on principled and ethical data-use frameworks outlining the harms and benefits of the data collection, use, sharing and storage.
We are awash in biometrics, ubiquitous sensors, genetic testing, commercial drone surveillance, predictive health, predictive aptitude, digital determination, telemedicine, mobile devices with entire medical histories, artificial intelligence to diagnose disease, and the internet of everything. We are on the cusp of the greatest advancements in human health, longevity, safety and well-being in history and on the precipice of rampant distrust, abuse, untraceable harms and societal chaos.
This time, it’s on us to learn from the past and prevent the mistakes we’ve made throughout history when faced with exciting advancements in the name of science and convenience: abusive discrimination in agriculture with slavery, automotive industrialism and worker abuse, energy expansion and environmental spoilage, and human-subject research and associated unimaginable human abuse.
Let’s not make it worse. We must shift from the idea of complying with minimum standards to a paradigm focused on the ethical use of data. If we don’t, we will not have an Orwellian future—we will have a future awash in unethical and harmful abuse that we’ve repeatedly condemned prior generations for allowing.•
Eilenberg is founder and CEO of Lodestone Logic, an Indianapolis-based global consulting firm. Crosley is former chief privacy officer at Eli Lilly and Co. and is a principal in Crosley Law Offices.