Until more is understood about data privacy policies, California needs to put the brakes on adding new requirements that harm businesses.
By Pat Fong Kushida, Special to CalMatters
Pat Fong Kushida is president and CEO of the California Asian Chamber of Commerce.
The road of best intentions can be unintentionally fraught with setbacks and unexpected dead ends when too many “cooks in the kitchen,” get their hands on the recipe. This is a problem we are seeing borne out with the confusing and disjointed implementation of various new data privacy policies.
Good laws make good sense. But until more is understood about the challenges of complying with existing data privacy statutes, the Legislature and regulators need to put the brakes on adding new requirements that harm California business while they are trying to recover from significant pandemic-related impacts. For our Asian American-owned businesses, nearly one-third had reported that their operating capacity decreased by more than 50% in 2021, according to a UCLA survey. Additional mandates will make business recovery even harder.
The California Consumer Privacy Act, which governs the collection, use and disclosure of consumers’ “personal information,” was enacted in 2018 and took effect Jan. 1, 2020. In September of 2019 – months before the new law even took effect – the Legislature passed and Gov. Gavin Newsom signed into law five major amendments to the privacy act, one day after then-Attorney General Xavier Becerra released proposed new implementing regulations. In 2020, the Legislature imposed multiple additional requirements via at least four new laws, and in November of that year, voters approved the California Privacy Rights Act, which significantly amended and expanded the California Consumer Privacy Act.
Additionally, the California Privacy Protection Agency, the governing agency created by the California Privacy Rights Act, has proposed implementing new regulations. The Department of Justice announced its intent to begin an “investigative sweep” of businesses operating in alleged noncompliance with provisions of the California Consumer Privacy Act. This is very worrisome, especially for those of us representing minority-owned small businesses who historically are unaware of new government mandates and changes.
The chaotic, rapid-fire onslaught of privacy laws and regulations threatens to eclipse a sincere and well-intentioned effort to protect California consumers.
It is highly likely businesses will be paying higher costs. According to an economic analysis report prepared for the attorney general, the original California Consumer Privacy Act presented operational and compliance costs which could total $55 billion.
The new privacy laws and regulations will impact most California businesses. Many businesses are under the impression that the data privacy rules and regulations only apply to big tech and large corporations, but in reality, it is our small- and medium-sized businesses that will be impacted the hardest, either directly by having to develop a comprehensive and expensive privacy infrastructure or indirectly when free products and services are eliminated or moved to a subscription model.
The laws are so confusing, complex and ever-changing that many companies are simply not complying. A recent study by technology security firm CYTRIO found that 89% of affected companies in the U.S. are not compliant or only partially compliant. Only 11% overall have automated Data Subject Access Requests, a key element that gives consumers the right to access their own data; almost half (45%) utilize expensive, time-consuming and archaic processes like email and web forms to comply with requests, and 44% lack any mechanism whatsoever.
It’s not that they don’t want to comply; after years of changes and new requirements, they don’t know how to comply.
But the worst damage is to everyday Californians. Consumers, likely confused from the start, have no idea of the potential loss of free services and introduction of paywalls that may result from a landslide of mandates and limitations on the operations of the internet.
Before more damage is done, the California Legislature and California Privacy Protection Agency need to commit to a redemptive and measured approach to data privacy issues.
Lawmakers must stop making changes to the existing laws and work in concert with affected stakeholders, as well as review existing laws and analyze the positive and negative impacts of current regulations. And only then should the Legislature and the California Privacy Protection Agency consider whether additional policies are necessary.
Pat Fong Kushida has also written about why California lawmakers must commit to small, minority-owned businesses and why an Asian American Pacific Islander should replace Kamala Harris in the U.S. Senate.