Privacy, Technology and Perspective
April Fools or Just Another Week in Data Privacy? This week, we’re running down the list of well-reported updates – California Approves Privacy Regulations and Iowa Enacts New State Privacy Law – and also offering a suggestion about federal action (because there is no time like the present).
Updated CCPA Regulations: The California Office of Administrative Law has finally approved the updated regulations related to the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA). A link to the updated CCPA regs follows:
Iowa Becomes the Sixth State to Enact a Comprehensive Privacy Law: The law will go into effect on January 1, 2025. It’s patterned after some of the state laws that have come before it, as Iowa joins California, Virginia, Connecticut, Colorado, and Utah in enacting a “comprehensive” consumer privacy law.
The law covers businesses in the state that produce products or services that are targeted to consumers in Iowa and control or process personal data on 100,000 consumers in the state or derive 50% of their revenue from selling the data of more than 25,000 consumers. “Consumer” is defined as “a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.”
A link to the new law follows:
And you may read a good summary by IAPP, which is available at the following link:
Our thoughts: Having a patchwork of state data privacy laws is unmanageable. Moreover, calling them “comprehensive” privacy laws is inaccurate because they only focus on consumer data privacy and private enterprise, and do not address the profound questions associated with personal privacy, including the protection of individuals from arbitrary and capricious governmental action. Moreover, the laws fail to consider the wider issues associated with the exploitation of Americans’ personal information, including by employers, data brokers, and the state and federal government.
The new privacy laws present compliance headaches, more than anything else. The United States must work on formulating a serious, long-term strategy related to its technology dominance and its citizens’ privacy rights. A new strategy must address all forms of AI, and the use of all kinds of data (not just personal information) in both centralized and decentralized contexts by the government, private enterprise, and in connection with blockchain technologies – essentially stating principles, before mechanics, that should govern in a fast-moving world.
We would also suggest tabling federal efforts at a consumer privacy law in favor of bigger efforts – like a Constitutional amendment recognizing that Americans have privacy rights, perhaps patterned after Article 7 and 8 of EU’s Charter of Fundamental Rights, acknowledging “everyone has the right to respect for his or her private and family life, home and communications” and “everyone has the right to the protection of personal data concerning him or her.”
Also, we suggest legislation directed at the data broker and digital advertising industrial complex. We don’t need a “Do Not Sell Button” on every website. Americans need a universal opt-out mechanism (like a better-functioning Do Not Call Registry) whereby they can opt-out of the sale of their data in one place.
To be clear, while it may be April Fools’ Day, we aren’t kidding.
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.