At long last, Congress appears close to crafting a law to protect Americans’ data privacy on the internet. It’s something Americans across the political spectrum overwhelmingly want, and it’s years overdue. Europe rolled out strong data privacy protections in 2018 and California passed similar measures soon after.
So we’d like to be able to say to Congress: “Better late than never!”
But the bill under consideration in Washington is seriously flawed. It threatens to diminish the privacy protections Californians have come to expect from a state law signed in 2018 and a ballot measure voters approved in 2020. It’s weaker than the privacy laws on the books in California and contains a provision that says the federal policy would override state laws. That’s unacceptable.
A handful of other states followed California’s lead and adopted their own privacy laws, though none are as strong. Tech companies have been pushing Congress for a single privacy policy that is uniform across the nation. It’s not surprising that businesses want to avoid having to comply with a patchwork of different data privacy laws across the states. But Congress must not water down the rights of Californians in federal legislation.
Privacy laws in the Golden State allow consumers to opt out of the use of artificial intelligence to create a profile of them based on their personal data, such as facial recognition software or scoring systems that automatically determine if someone is eligible for a service. They prevent companies from charging consumers more if they delete their information, and prohibit monitoring users’ precise geolocation using video feeds from surveillance cameras and photos from people’s phones.
California’s data privacy law also lets consumers opt out of the sale of information that makes inferences about them. As Times reporter Jennifer Haberkorn reports, this includes sensitive information like location-tracking data that could suggest someone had visited an abortion clinic. These are some of the protections Californians would lose if Congress passes the American Data Privacy and Protection Act with the provision that preempts state laws.
The bill had a groundswell of bipartisan support in Congress this summer as it passed a key committee. But California leaders, including Gov. Gavin Newsom and Atty. Gen. Rob Bonta, urged lawmakers to amend it so that it does not override California law. For a while, it was uncertain if California’s concerns would be heeded amid the bipartisan momentum and a big push from the tech lobby.
But the most powerful person in the House is a California Democrat, and she is sticking up for her home state. We applaud Speaker Nancy Pelosi for insisting on changes to the bill. “It is imperative that California continues offering and enforcing the nation’s strongest privacy rights,” Pelosi said Sept. 1.
It’s not clear how the legislation will be rewritten to leave California’s laws untouched. Democratic Rep. Anna G. Eshoo of Menlo Park suggested setting the federal law as a floor and allowing other states to enact more aggressive policies. But the bill’s author, Democratic Rep. Frank Pallone Jr. of New Jersey, objected. He said that would risk losing support from Republicans, who side with the tech industry in wanting a federal law that preempts the states.
Another approach lawmakers should consider is a framework similar to the federal Clean Air Act, which allows California to set a tougher standard than the national one and lets states choose which they want to follow.
The pervasiveness of technology in modern life has created an insidious market for personal information from which residents of every state should be protected. The nation needs a robust data privacy law, but not one that will weaken California’s.