How Sacramento Became More Effective Than Washington DC

As of January 1st, 2020, the California Consumer Privacy Act (CCPA) will officially become law. The CCPA will add to the existing patchwork of legislature that protects the privacy of American consumer data. Currently, US citizens’ privacy is protected by regulations including the Family Educational Rights and Privacy Act, the Children’s Online Privacy Protection Act, the Federal Trade Commission, one of the 54 Security Breach Notification Bills, and even the European General Data Protection Regulation (GDPR). Despite the impressive length of this list, Americans remain more vulnerable to Big Tech privacy abuses than citizens of Lichtenstein – a tiny 62-square-mile microstate that has a more robust Data Protection Authority (DPA) than the US. 

Why? Government corruption and the libertarian ideology that infiltrates many federal institutions has largely succeeded in sucking every last dollar out of consumers’ pockets. Lawmakers in Washington, DC have been bought off to the point where passing a federal data protection bill is practically impossible, and creating an independent DPA to ensure its enforcement is simply unthinkable. However, the geographically ambiguous nature of the tech industry enables changes in more progressive parts of the country to affect all American consumers. 

One may believe that the European GDPR would only affect EU citizens. On the contrary, the regulation applies to any business that collects data from EU citizens or residents – all the major tech players, from Facebook to Amazon, do this. 

For years, the US and EU battled over privacy regulation. This conversation generally entailed EU frustration with the insufficiency of US policy. The GDPR represented the end of Europe’s patience, putting the nail in US tech’s coffin. One particular clause of great consequence stipulates that the transfer of data out of the EU must only happen to countries that exhibit an ‘adequate level of protection’ for their citizens’ data. And it turns out that the US often falls short of these expectations. 

American tech giants desire European customers. If they can’t increase their international reach, then another company will, and that other company will eventually take their American users too. Therefore, the GDPR gives American companies an enormous incentive to change their data protection policies, even if not mandated by the federal government. Such changes are clearly outlined in the bill. Companies must: allow users to delete, correct, or move their data; prove a lawful basis for collecting user data; notify authorities of data breaches within 72 hours (a much shorter time than many state requirements in the US), along with an array of similarly intuitive restrictions that somehow lawmakers in Washington, DC couldn’t implement themselves.

And if the market incentive is not enough, GDPR fines are sure to be. An upper-level fine results in up to $22.2M USD or 4% of worldwide annual revenue – whichever is higher. To put that into perspective, 2018 Facebook would (should) have paid $2.232B USD to the EU.

More importantly, the new CCPA also extends beyond its legislative borders. Any company with an annual gross revenue of over $25M; or one that receives, shares, or sells personal information of more than 50,000 people; or earns more than 50 per cent of its revenue by selling personal information – will have to comply.

Furthermore, when it comes to regulation, the GDPR is good, but the CCPA is better. The CCPA takes an incredibly liberal stance on what is considered to be ‘personal data’. It is defined as ‘information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.’ The same term in the GDPR is defined as ‘any information relating to an identified or identifiable natural person.’ The former is clearly much more encompassing than the latter, providing greater consumer protection.

 Naturally, the tech industry has become incredibly concerned: the CCPA will likely reach all across the US, including firms based in Republican strongholds. Furthermore, the states of New York, Nevada, Washington, and Texas are starting to follow California’s lead, which could produce even more progressive reform. 

" When it comes to regulation, the GDPR is good, but the CCPA is better. "

One cannot help but ask why the US Federal Government has been so inept in doing something like this itself. The problem lies in corruption. In response to growing anti-tech sentiments on both sides of the aisle, Big Tech started to buy congressmen who didn’t see their way. 

Take the transformation of Senator Mike Lee (R-UT) for example. As Chairman of the Senate Antitrust Subcommittee, and a tough critic of Google, Lee was a prime target for ‘persuasion.’ In 2015, FEC records show that Google donated $7,500 to Lee’s re-election campaign. Several firms related to Google, or other big tech companies like Facebook and Yahoo, contributed an additional $66,100 to his campaign. Big Tech also engaged in other maneuvers such as the hiring away of Lee’s subcommittee staff like Mike Lennon and Bryson Bachman

Come 2018, Senator Lee seemed to have had a sudden change of heart. During Mark Zuckerberg’s senate hearing, Lee asked the Facebook Chief Executive, “Isn’t there a significant free market incentive that a social media company, like yours, has, in order to safeguard the data of your users?” Mark (first name because they seem to be friends now) happily replied, “Yes, senator. Yes.” Lee then proceeded to ask Mark a series of similarly weak questions.

Compare this to 2011 Mike Lee – before all the donations – in a Senate antitrust panel where he clashed with Google’s Chairman, Eric Schmidt. Lee raised concerns over Google’s ability “to determine who will succeed and who will fail on the Internet,” alluding to the excessive power of the search engine. Later he went as far as shouting at Schmidt, “you cooked [the rankings] so you are always number three.” This was in reference to Google Product Search’s curiously consistent ranking across hundreds of shopping searches, which was visualised in a large chart that Lee had brought along for the meeting. 

The exact content of his conflicts with Google aren’t as important as the fact that Lee went from being one of the most outspoken Big Tech critics to being their little puppet. And he’s just one of many.

In many ways, the story of Big Tech lobbying has become ironic, and somewhat entertaining. As a result of corruption in Washington, DC, Europe and California took their own steps to restrict the abuses of Big Tech for their citizens. In doing so they went far beyond what any federal US mandate would have done – even without corruption – but they’ve impacted everybody. So in targeting the Capital, Big Tech opened up its left flank, and allowed seemingly irrelevant legislative bodies to totally change the game. Turns out, Americans have a small state house in Sacramento, CA – and not their own government – to thank for the protection of their data.

Despite bold steps from the EU and lawmakers in Sacramento, the battle is far from over. The federal government’s failure to create a specialised Data Protection Authority leaves some distinctions between the effective rights of American and EU citizens. If an EU citizen wished to make a claim against a company for violating GDPR rights, they would reach out to their respective DPA. In fact, all 28 EU countries have one:they can be found here. But if an American were to try to find theirs, well, good luck to them. The best bet would be the Federal Trade Commission (FTC). However, the FTC has little power in comparison to its European counterparts, and only directs a small portion of its funds toward data regulation. Many industries that engage in the collection of data – such as airlines, universities, and banks – aren’t even subject to FTC oversight due to peculiarities in US law. So the path to directly exercising American consumer rights remains pretty murky. 

William Kovacic, member and chair of the FTC during the Obama and Bush administrations, described the problem: “there’s no public institution in the US that has [the] breadth of authority [to police privacy properly], and that’s a big gap.” Until Congress steps up and seriously confronts this issue – rather than focusing on their own campaign funding – Americans will not be able to individually exercise their rights. Instead, they will have to rely on crackdowns from government bodies.

Something also worth considering if you’re an American: every time a European DPA or EU citizen fines a US firm for abusing rights that you now have too, they are cashing in on the proceeds. Those fines go into strengthening European bureaucracies, social welfare, and consumer protections. Meanwhile, our congressmen are sitting on personal pay checks from Google, and none of it is going to you.

Photo: Image via Udo S (Flickr)

SUGGESTED ARTICLES