Just another half-baked law in California
California lawmakers have developed a habit of passing laws that are designed to provide far-reaching protections for workers and consumers — and serve as a model for other states or the federal government.
Despite their high pretensions, these laws often are half-baked and result in vast and troubling costs and repercussions.
The most pernicious recent example is Assembly
Bill 5, which bans many companies from using contractors as workers. Freelancers now are losing their jobs. Industries that rely on drivers are plagued by uncertainty. The law faces litigation and a possible statewide initiative to roll back its provisions. As they say in baseball, it’s an unforced error.
Another new law rivals AB5 for its disruptions. Passed in 2018, the California Consumer Privacy Act went into effect on Jan. 1.
Its intentions are good: to let consumers know about — and control — the personal online information that companies collect. Its restrictions are creating a de facto national standard given the size of the California market.
The law’s most obvious fallout can be found in your inbox. Californians are being inundated with emails from companies that are updating their privacy and information policies.
Under the new law, consumers have the right to know what information companies are collecting and the right to have it deleted, although there are some exemptions.
The legislation is understandable given consumers’ vulnerability to data breaches and other unauthorized uses of private information. The problem is in the details, as usual. For starters, the definition of private information is extremely broad. This includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
That creates a vast, unclear and enormous body of information — and companies will be forced to create a costly infrastructure to figure out how to comply with these requests. Not just California companies, either, but a broad array of companies that do business in our state.
The cost for noncompliance — or even questionable interpretations of its Byzantine standards — can be inordinately high. It provides a “private right of action” that is common in some of California’s most onerous laws The state attorney general can prosecute a data breach and individuals can sue on their own even without proving harm. It allows fines up to $750 per consumer, per incident. The California Chamber of Commerce predicts “a barrage of shakedown lawsuits.”
The legislation targets mid-sized to large companies (gross revenues of more than $25 million), but also applies to businesses with 50,000 yearly online visitors. That’s not a particularly high threshold and will ensnare smaller companies.
Perversely, companies might now need to collect even more personal data, thus jeopardizing the law’s goals. “(T)o enable the required access, erasure and portability of personal information, businesses may need to make all of their data identifiable,” wrote Eric Goldman, co-director of the High Tech Law Institute at Santa Clara University, in a letter last year to legislators.
Goldman referred to the law as a “work in progress.” That is the problem with this and many other well-intentioned legislative efforts. In the rush to pass groundbreaking reforms, the Legislature is rushing unformed measures through the process, thus causing unnecessary harm to the businesses, workers and consumers it’s trying to protect.