California privacy law must be changed to avoid making user data more vulnerable

The Internet Association is urging legislators to make changes to the California Consumer Privacy Act.
The Internet Association is urging legislators to make changes to the California Consumer Privacy Act.

Americans deserve modern privacy rules that provide meaningful control over personal data, whether it is collected online or offline, from companies across all industries. That means giving people the ability to access, correct, delete and download their data. Full stop.

That’s the position of America’s internet companies. Any assertions to the contrary — including those made by the group Common Sense in The Sacramento Bee’s opinion section Dec. 3 — are incorrect.

While the California Consumer Privacy Act might aim to meaningfully enhance data privacy, Californians could find it fails to achieve its purpose if it is not improved before it goes into effect in 2020.

The law was passed last summer with the idea that it would be amended and fixed in 2019. The Internet Association, on behalf of the companies we represent, has been working with the California Legislature and other stakeholders to find reasonable solutions to CCPA’s substantive problems. These problems were given short shrift during the extreme rush to pass the law, but now must be addressed.

Many of the law’s problems arise from overly broad definitions of consumers, transactions and other elements of online business.


As the law is written, anyone could access detailed information on anyone they live with, whether a family member or a disgruntled roommate. Giving people other than you full rights to your personal data isn’t an improvement to privacy.

The law’s requirements, intended to make personal data more accessible, would indirectly make the data more vulnerable. Since the law requires businesses to turn over any individual’s personal information upon request, businesses will have to store that data in a way that is connected to each unique individual. Data that previously was stored anonymously or de-identified would be directly attached to you under CCPA, as the law does not effectively allow businesses to store it otherwise. This makes your data less secure, less private and more exposed to hackers.

Robert Callahan.jpg
Robert Callahan

As if that isn’t enough cause for concern, CCPA threatens to disrupt online ad-supported business models that provide high-quality services for little cost. Ads are an important part of the internet ecosystem. They help fund the work of news organizations and other online content creators while allowing nonprofits to find donors, musicians to find audiences and animal shelters to find new homes for pets. Highly relevant ads can be shown to you without compromising your personal information, and if the advertiser is lucky, maybe you’ll click and take a look. If not, no bother, carry on. Under CCPA, this important business model is in jeopardy.

How are people going to react when California’s bold new privacy law, ushered in with such fanfare and praise, misses the mark? How about the rest of the country, which so often looks to California for innovative leadership on these issues?

While the passage of CCPA this year was certainly historic by most measures, the process was no model of sound policymaking. The European Union’s General Data Protection Regulation underwent four years of deliberation before passage; CCPA got one week. There was little input from the companies that will bear the burden of compliance. To pretend the law is without fault today is to ignore the realities of how the law came to be and the complexities of data regulation.

CCPA can be a positive precursor to better privacy laws and practices or it can be a cautionary tale. Fortunately, there’s still time to get it right before the law goes into effect. The Legislature should address these infirmities head on in the coming session.

Robert Callahan is vice president of state government affairs for the Internet Association. He may be reached at