Last week, California’s Attorney General Xavier Becerra testified before the U.S. Senate Committee on Commerce, Science, and Transportation in a hearing entitled, “Revisiting the Need for Data Privacy Legislation”. Becerra’s testimony included a request that the Senate not preempt the California Consumer Privacy Act (“CCPA”) by passing a federal data privacy law.
Becerra stated that “the optimal federal legal framework recognizes that privacy protections must keep pace with innovation, the hallmark of our data-driven economy. State law is the backbone of consumer privacy in the United States. Federal law serves as the glue that ties our communities together.” Becerra referred to CCPA as “a game changer” and pointed to examples of how the regulation has been and is being enforced against noncompliant companies.
He encouraged Congress to set a “federal privacy protection floor rather than a ceiling, allowing my state and others that may follow the opportunity to provide further protections tailored to our residents.” If they decide to draft mandatory federal data privacy legislation, Becerra suggested the committee to “look to the states as sources of nimble innovation and expertise in data privacy, and to value protections, like the CCPA, that states have already developed.” Additionally, Becerra recommended that, should a new federal law be drafted, it should include a “private right of action to complement and fortify the work of state enforcers.” Becerra considers such a measure to be critical to deterrence and the creation of meaningful consequences for noncompliant companies.
Given Becerra’s testimony, it appears that his position, and by extension that of California, is that while data privacy should be a concern of the federal government it is a matter best dealt with, and enforced by, state regulators.
California is one of the world’s largest economies, and the state holds significant sway regarding influencing regulations at the federal level. Becerra’s recommendations, if accepted by the U.S. Senate, likely mean that businesses will have to adapt to, and comply with, a 50-state data privacy framework, with a different approach in each state in which they’re doing business. Similar to how state tax laws work, each state could, in theory, draft its own law and enforce it, creating a tangled web of compliance. Companies operating in multiple states will need to adopt an ever-more-flexible approach to data privacy.
How Can Clym Help?
Clym provides a cost-effective, scalable and flexible platform to comply with CCPA, GDPR, and other laws as they come online. Our geo-location enabled technology provides companies with the ability to apply different rules to customers in various geographic locations so they’re always covered. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.