California’s Attorney General Xavier Becerra testified before the U.S. Senate Committee on Commerce, Science, and Transportation this Wednesday, in a hearing entitled, “Revisiting the Need for Data Privacy Legislation.” According to his testimony, Becerra shared California’s experience with its “robust legal framework for consumer privacy,” and asked the legislative body not to preempt the California Consumer Privacy Act (CCPA) with the passage of federal law.
Becerra opened with his view of the data privacy space, explaining that “the optimal federal legal framework recognizes that privacy protections must keep pace with innovation, the hallmark of our data-driven economy. State law is the backbone of consumer privacy in the United States. Federal law serves as the glue that ties our communities together.”
The attorney general also reported several California enforcement successes, including a “groundbreaking settlement with Uber.” The ride-sharing service reportedly tried to cover up a breach of its driver’s personal information, but California exposed it. The state required Uber to pay $148 million in penalties and to redesign policies to “put privacy considerations at the forefront of design processes rather than as an afterthought for compliance review.”
Becerra also discussed CCPA protections, calling the law, “a game changer.” After explaining various consumer privacy protections afforded by it, he noted that “for the first time in a legal regime, the CCPA vests consumers with the right to tell a business that sells information: don’t.” He also stated that from Jul. 1, California “began issuing notices to cure to companies with non-compliant privacy policies or missing ‘Do Not Sell My Personal Information’ links.” The result, he said, was substantial compliance.
Becerra made policy suggestions about approaching data privacy, including how businesses should do away with the “collect now, monetize later” approach to consumer information. Furthermore, Becerra advocated for “clear lines on what is illegal data use from the context of civil rights protections,” pointing to “how algorithms impact people’s fundamental rights of healthcare, housing and employment, and how they may be perpetuating systemic racism and bias.”
Finally, he contended that any new federal law should include a “private right of action to complement and fortify the work of state enforcers.” This, he said is critical to deterrence and the creation of meaningful consequences for lawbreakers.
Becerra also contextualized the current climate, stating that “[t]oday, as we battle a pandemic that has moved so much of life online, companies now know more about us, our children, and our habits,” resulting in massive amounts of data collection. In closing, he encouraged Congress to set a “federal privacy protection floor rather than a ceiling, allowing my state and others that may follow the opportunity to provide further protections tailored to our residents.” In terms of inspiration, Becerra invited the committee to “look to the states as sources of nimble innovation and expertise in data privacy, and to value protections, like the CCPA, that states have already developed.”