Data & Analytics

On data privacy, state AGs say they’re following California’s lead

As states figure out how to protect their residents' personal data, many are waiting to see how California's sweeping new privacy law is implemented.

By Benjamin Freed

January 30, 2019

(Getty Images)

As the public becomes increasingly wary of how personal information is handled on the internet, a group of state attorneys general said Wednesday they often look to California for guidance. In particular, they said they’ll be following how the country’s most populous state prepares for its Consumer Privacy Act, a sweeping series of rules set to go live next year that will crack down on what companies can do with their customers’ and users’ personal information.

“As California goes, so goes the nation,” said Vermont Attorney General T.J. Donovan, speaking at a consumer privacy event hosted in Washington D.C. by the software firm Symantec. “Watching how the rules in California are going to be developed is going to be critical.”

Officials from Washington, D.C., Virginia, New Mexico and Vermont joined to discuss what role state governments must play in protecting their residents’ online privacy in the absence of federal data privacy laws.

“The last federal privacy legislation was passed in the 70s,” said Washington, D.C., Attorney General Karl Racine, referring to the 1974 Privacy Act. “We’re not going to wait. And we’re certainly not going to wait on the FTC for any litigation matter.”

But without an overarching federal data privacy law to set national rules for how companies use online consumer data, states must navigate their own ways to protect their residents’ personal information, the attorneys general said, though the new California law could offer some guidance. However it shakes out, Donovan said, the goal is to create an environment in which people can feel safer conducting online transactions.

“California in 2020: perhaps that strikes a roadmap,” Donovan said. “I also start with more of a fundamental question. Can law keep pace with technology? I’m not sure passing a law in Vermont every year is the way to go. But I think we need to agree to fundamental principles: trust between consumers and businesses.”

When the California Consumer Privacy Act goes into effect next year, the state’s residents will gain the rights to ask companies to turn over or delete the personal data they’ve collected and to opt out of future data collection or the resale of that information to third parties. Though applauded by privacy advocates, the law was strenuously opposed by the tech and telecommunications industries. Major companies such as Google, Facebook, Verizon and AT&T each contributed $200,000 to a political action committee lobbying against its passage.

The law also gives the California attorney general’s office stronger enforcement powers to fine companies that do not comply with consumer requests to turn over their data. Donovan said that development is likely to be replicated in other states, including his own, even if it ruffles online businesses.

“I don’t think you’re going to see state attorneys general abdicate their responsibilities for consumer protection in an increasingly digital world,” Donovan said. “Vermont needs economic development and we need to grow, but we have a strong tradition of privacy, a strong libertarian streak.”

Others on the panel conceded that although states are each drafting data privacy laws independently, the tech industry may push for uniformity. “It’s interesting to see how that’s the industry view,” said Virginia Deputy Attorney General Stephen Cobb. “‘Not going to do one thing in California when I have to do something else in the other 49 states.'”

On some privacy policies, some states are already following California’s lead. Donovan touted Vermont’s new data-broker law, which requires companies that buy or sell consumer data to register with the state and offers Vermonters the option to remove their data from the marketplace.

“It’ll be very interesting to me to see how many companies register as data brokers, and how many Vermonters opt out,” Donovan said of the new law, which takes effect Friday. “At the end of the day, privacy has always been a fundamental principle of our country, and living in a digital world doesn’t change that.”

New Mexico Deputy Attorney General Tania Maestas said the common reliance on California may come from the fact that many state legislatures only convene for a couple months each year.

“Our legislature is rotating between [calendars of] 60 days and 30 days, and on those 30 day years all we do is finance bills, so we’re always behind the curve,” Maestas said. “It does help a bit for us smaller states to follow the lead.”