Letter to Congress says federal law should not preempt state data privacy regulations and protections for consumers.
2/28/2020 8:00
California’s sweeping data privacy law impacting businesses storing and working with consumers’ personal information should serve as a building block for federal legislation, the state’s attorney general said in a letter to members of Congress Feb. 25.
California Attorney General Xavier Becerra also stressed federal legislation should not preempt consumer rights and privacy protections in the California Consumer Privacy Act (CCPA) and other state law—long the subject of debate on Capitol Hill as Congress continues to work through federal data privacy proposals.
“I am optimistic Congress will be able to craft a proposal that guarantees new privacy rights for consumers, includes a meaningful enforcement regime, and respects the good work undertaken by states across the country, looking to state law as providing a floor for privacy protections, rather than a ceiling,” Becerra said in the letter to U.S. Senate Committee on Commerce, Science & Transportation Chairman U.S. Sen. Roger Wicker, R-Miss., Ranking Member U.S. Sen. Maria Cantwell, D-Wash., and U.S. Reps. Frank Pallone Jr., D-N.J., and Greg Walden, R-Ore., chairman and ranking member of the U.S. House of Representatives Committee on Energy and Commerce, respectively.
“Attorney General Becerra further emphasized that Congress should provide consumers with greater enforcement power and be a partner to the states in the work of protecting consumer privacy,” according to a news release from the California Attorney General’s Office.
Becerra, in the letter to Congress, also invited legislators to, “look to the states as sources of innovation and expertise in data privacy, and not to undermine protections, like CCPA, that states have already developed.”
At least 25 states have laws that address data security practices in the private sector, according to the National Conference of State Legislatures.
Meanwhile, the comment period for additional proposed regulations on the CCPA concluded on Feb. 25 and the attorney general must publish the final regulations for the law by July 1, 2020. The law and initial requirements for businesses took effect Jan. 1, 2020.
As a refresher, key requirements of the CCPA, according to the attorney general, include:
- Businesses must disclose data collection and sharing practices to consumers;
- Consumers have a right to request that their data be deleted, although there are exceptions that should apply to the collections industry;
- Consumers have a right to request what information is collected; and
- Businesses are required to provide a privacy notice prior to collecting information from a consumer.
Most of the modifications in the proposed regulations released in February are clarifying and not necessarily pertinent to the overall understanding of the CCPA, ACA International Member June Coleman, of counsel at Messer Strickler Ltd. in California, recently reported. However, some clarifications are useful to the collections industry. For instance, the CCPA requires that a company identify the general categories of sources of information received about a California resident in both the privacy notice and the privacy policy, and upon verification of a request from a California resident, according to Coleman.
The CCPA applies to certain businesses that fall under one or more of the following criteria:
- Annual gross revenues of more than $25 million;
- Alone, or in combination, annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more California consumers, California households or devices;
- Derive 50% or more of annual revenue from selling consumers’ personal information.
The attorney general’s office cannot bring an enforcement action under the CCPA until six months after the publication of its final regulations or until July 1, 2020, whichever comes first, ACA previously reported.
In his letter to Congress, Becerra also urged Congress to provide consumers with new rights under federal law:
- The right to access, correct, and delete personal data that has been collected;
- The right to minimize data collection, processing, and retention;
- The right to data portability among services; and
- The right to know what data is collected and processed and for what reasons.
As Congress and states continue to consider data privacy legislation, ACA encourages members to get involved in advocacy. ACA’s Washington Insights Fly-In is a critical opportunity for members to get involved at advocacy at the federal level and learn more about the reach of laws such as the CCPA. Register now to join ACA’s advocacy team May 19-21 in Washington, D.C., hear from legislative and regulatory speakers and meet with members of Congress on the Hill.
Related Content from ACA International:
Three Steps Every Company Must Take Today to Avoid CCPA Class Action Liability