Having drilled into the European Union’s General Data Protection Regulation (GDPR) over the course of last 3 blog posts, including delivering a comprehensive GDPR cheat sheet for my readers (whose format I will use later to compare the GDPR to other data protection laws), my focus will now shift to the US. Specifically, I really want to jump into talking about the California Consumer Privacy Act (CCPA), but to do it justice I first need to set the stage for the CCPA and put it into context vis a vis US law.
Unlike the EU, the US does not have an over-arching data privacy/protection law. In fact, the word privacy is not mentioned in the US Constitution, although over time the 4th Amendment (“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated …”) has been interpreted over the last 100+ years as providing a reasonable expectation of privacy.
But First, a Quick European Vacation
In contrast, privacy is baked into European conventions and treaties as well as the EU charter. After the United Nations’ Declaration of Human Rights (UNDHR) in 1948 [always wanted to have a pix of Eleanor Roosevelt in a blog post, she was the chair of the UNDHR Commission] …
… the Council of Europe adopted the European Convention of Human Rights (ECHR) in 1950, both of which had very similar language as it relates to privacy (e.g. ECHR Section 8: “Everyone has the right to respect for his private and family life, his home and his correspondence.”). But the key thing is it recognized privacy as a key human right, calling it clearly out.
Specific to the European Union, there is the EU Charter of Fundamental Rights, that went into full legal effect in the EU with the Treaty of Lisbon in 2009, that not only has a section on privacy (Article 7: “Everyone has the right to respect for his or her private and family life, home and communications” – note change from 1950 to 2000x from “correspondence” to “communications”) but it also has Section 8: that covers data protection:
So not only are we talking about privacy but data protection as key human rights incorporated into the core of European law. These two, plus numerous member state laws, and the passing of the EU Data Protection Directive in 1995 eventually led the European Commission to pass in 2016 the General Data Protection Regulation that went into effect into 2018. (Side note: a Regulation has binding legal force throughout the whole of the EU, while a Directive lays down markers that must be achieved by each Member State but those States have freedom to decide how they make their way into national law).
Back to the USA
In the US of A we have a patchwork of state and federal laws, some of which are sector specific and others that cover very specific personal data associated with a given industry or type of data. These Federal privacy laws have been enacted based on a variety of factors, including: [and shoutout to Lauren Steinfeld and her course Privacy Law and Data Protection for the categorization of these data protection laws]
- Who’s Got the Data. This started in the late 1960s when the federal government and credit bureaus were the only ones that had personal data on millions of people. The two best examples of laws in this category that were passed by Congress were The Privacy Act in 1974 (that regulates personal data held by the Federal government( and the Fair Credit Reporting Act in 1970 (that regulates data held by credit bureaus).
- Lawmaking by Anecdote. These laws have come up when a specific incident has made headlines. A good example is the Video Privacy Protection Act of 1988 which came about because a reporter was able to find out what Robert Bork’s video renting tastes were. Another example includes the Family and Education Rights and Privacy Act (FERPA) in 1974 that protects students’ data.
- Privacy Laws as Part of Some Other Data Sharing Initiative. The best examples are the Health Insurance Portability and Accountability Act (HIPAA) in 1996 for healthcare and the Graham-Leach-Bliley Act (GLBA) in 1999 for the financial services industry. I will cover these down the road. But they are very industry-specific, and in the case of HIPAA, have strict definitions of “covered entities” (e.g. your hospital is covered, but not your health app on your phone).
- Special Harm, Special Concern. These are laws that have been introduced to address compelling privacy harms in very specific areas. Examples include the Children’s Online Privacy Protection Act (COPPA) of 1998 and the Genetic Information Non-Discrimination Act (GINA) in 2008.
So, as you can see from above, the last US Federal privacy act of note was in 2008 and it was for a very specific (or dare I say, narrow) concern re: genetic/DNA info. You have to go back the 90s when we had major laws such as HIPAA and GLBA involving privacy, but again for specific industries, so to this day other huge segments of the economy are not covered.
California Here We Come
So as of lately it has been at the state level where most of the Data Protection and Privacy law action has been taking place in terms of passing legislation, and it has been my home state of California that has led the way.
First off, California voters amended its State Constitution in the early 1970s to include the right of privacy among the “inalienable” rights of all people: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”
Next, California was the first to enact a comprehensive Data Breach Notification law in 2002.
Then in 2004 California added the first state law in the nation to enforce the public posting of privacy policies on websites. This law is called the California Online Privacy Protection Act (CalOPPA).
[On a side note, mostly security-related, I am intrigued by California’s law re: IoT devices not having the same default built-in password. It came into effect on Jan. 1 2020. Will hope to circle back to this law, but it could also be another California first?]
Finally, the most significant privacy legislation in the US since the 1990s was passed in California with the California Consumer Privacy Act (CCPA) in 2018.
In my next blog post I want to drill down in California’s Data Breach Notification law as it sets the stage for the CCPA … and don’t worry, I will get to CCPA soon! It took me 2 blog posts to tee up the GDPR, so I have to do the same with the CCPA!