California State Flag flying under US flag with palm tree in the background
PHOTO: Tina Chelidze

The California Consumer Privacy Act (CCPA) has been in force since Jan.1. I’ve previously addressed questions about compliance and how many companies differ on how they classify themselves in regards to being sellers of data. Even major tech companies interpret the law differently. But one thing is not in question: The fact that while present issues surrounding the law are still being sorted out, the future of CCPA is already being discussed. California’s lead in privacy in the US is widening, and powerful EU data privacy regulators are taking note.

CCPA 2.0

Late last year Alastair Mactaggart, architect of the CCPA, introduced a new initiative for the November 2020 California ballot that, if passed, would significantly strengthen the CCPA and create a new enforcement agency known as the California Privacy Protection Agency. This is interesting because Mactaggart introduced this new initiative before the current version of CCPA even went into force.

In addition to establishing a new enforcement authority, the updated law would also include "new rights around the use and sale of sensitive personal information," increase protection for children by "tripling CCPA's fines" for children's privacy violations, and require companies to receive opt-in consent before collecting the personal information of consumers under the age of 16.

In speaking about his new initiative, Mactaggart indicated that raising the bar for California may raise the bar for the entire US in the event its fabled federal privacy law becomes a reality. Mactaggart said that conversations in Congress regarding a federal law have included calls for “nothing weaker than California,” underscoring the importance of his new initiative as it relates to the US as a whole.

California has even piqued the interest of EU regulators, who recently discussed the possibility that, at least in theory, California could achieve adequacy for data transfers under GDPR rules. Adequacy has previously been granted to entire countries, Crown Dependencies, territories of EU member states, or frameworks such as Privacy Shield. We have never seen it granted to an individual state within a country. Hopefully this possibility will encourage the rest of the US to get on board with a strong GDPR-like federal privacy law — one that is powerful enough to satisfy the EU and protect citizens on both sides of the Atlantic.  

Related Article: Preparing for New Data Privacy Regulations? Learn From GDPR

What 'Adequacy' Means Under the GDPR

What does “adequacy” mean in reference to the EU’s privacy regime? Under the GDPR and its predecessor, the Data Protection Directive, the EU has stringent restrictions regarding the transfer of EU citizens' personal data to countries outside of the European Economic Area. Personal data can, however, flow freely to countries that are officially recognized as adequate by the European Commission.

To be deemed adequate, a country must have data privacy protections in place that are substantially similar to protections provided in the EU. To become official, the European Commission must adopt an adequacy decision after a lengthy, multi-stage process that also involves the European Data Protection Board and the EU Parliament. The US is not currently considered adequate, and therefore it’s not legal to transfer data to the US without additional protections. For now, the only US-specific data transfer mechanism is known as the Privacy Shield framework which applies only to eligible companies who self-certify under the framework.

A major criticism of Privacy Shield is that it fails to safeguard EU data from US intelligence agencies. Privacy Shield just passed its third "health check," but the framework’s validity is currently being challenged before European courts.

Related Article: What the GDPR Means for Your Organization

Can an EU-California Data Privacy Deal Get Done?

Privacy experts are now debating whether or not it’s possible for the EU to make a data privacy agreement with a single US state. In theory, it is possible based on Article 45 of the GDPR which explicitly permits an adequacy decision for a “territory or one or more specified sectors within” a country, such as a state. In its current form however, California and its CCPA are unlikely to meet the minimum threshold required to achieve such a decision.

Obstacles to California being accepted include:

  • Despite being the strongest privacy law in the US, in its current form, CCPA falls short of the sweeping consent and opt-out controls afforded to data subjects under the GDPR.
  • CCPA is enforced by the California Attorney General, rather than an independent, dedicated supervisory authority.
  • CCPA only protects the personal information of California residents.
  • California is still subject to US federal law.

If passed, Mactaggart’s new initiative would appear to address some of the issues noted above and would bring California closer to being a legitimate candidate for adequacy. The reality, however, is that California still has a long way to go before adequacy becomes a real possibility.

For now, the fact that such a scenario is even being discussed shows just how relevant California is to privacy on the global stage, which will hopefully lead to more pressure on federal lawmakers to get in line with what US citizens and the world community are increasingly demanding: comprehensive privacy protection for all. With future changes in California possible and more states following suit, it could be quite an interesting regulatory ride.

Related Article: Is it Finally Time for a Federal Privacy Law?