By Therese Poletti
As technology companies have grown from dot-com upstarts to the most powerful entities in America, U.S. legislators have done virtually nothing to establish new laws that regulate the companies and their products, even as negative effects ripple throughout society daily.
That is beginning to change. Nationally, antitrust actions announced in 2020 seek to undercut some of the power of these now-entrenched giants, with suits seeking to break up Facebook Inc. /zigman2/quotes/205064656/composite FB -1.96% , rein in Alphabet Inc.’s /zigman2/quotes/202490156/composite GOOGL -2.49% /zigman2/quotes/205453964/composite GOOG -2.32% Google and establish a new standard for Apple Inc.’s /zigman2/quotes/202934861/composite AAPL -2.26% cut from App Store developers.
For more: Big Tech has an antitrust target on its back, and its growing
The most expansive efforts to regulate Big Tech, however, have come from the state that birthed most of the world’s largest tech companies, California. The Golden State has introduced a series of laws that seek to temper the worst elements — a lack of data privacy and security, exploitation of an underclass of low-paid workers, and homogenous, club-like leadership that perpetuates systemic sexism and racism in the technology industry.
Those laws, though, are controversial and face an uncertain future, amid both industry-backed efforts to establish friendlier standards and lawsuits seeking to abolish or hamper regulation. While that is already damaging some of California’s efforts in the short term, the issues these laws face should offer other states and the incoming Biden administration examples of the legal challenges ahead.
As we head into 2021, there is finally momentum on a federal level to address the negative effects of letting Big Tech to run rampant in the past decade. Hopefully, lessons learned in California will help guide other states and federal legislators in crafting fair laws that protect Americans while still allowing tech companies to flourish.
In 2018, California was the first state in the U.S. to adopt data-privacy legislation that in many ways mirrored the European Union’s General Data Protection Regulation that was implemented in 2018. The resulting California Consumer Privacy Act , which went into effect in January 2020, created significant new data protection obligations for businesses based in the state and new privacy rights for Californians.
See also: Everything you need to know about California’s landmark privacy law
But before the CCPA, as it is referred to, went into effect, there was concern that it did not go far enough and that there was no real instrument to enforce the law. That led to Proposition 24, an initiative led by San Francisco investor and privacy advocate Alastair Mactaggart that passed with 53% of the vote in November. Known as the California Privacy Rights and Enforcement Act of 2020, or CPRA, Prop. 24 amended the CCPA with stricter regulations for companies and the creation of an enforcement agency.
“CCPA really changed a lot, for California law, and for the world,” said Paul Schwartz, a professor at the Berkeley Law School and director of the Berkeley Center for Law and Technology at U.C. Berkeley. “Both CCPA and CPRA govern businesses based in California and processing information of California residents. Since California is the fifth largest economy in the world, that is a lot of information. It’s a wide reach.”
The CPRA, he said, is an elaborate amendment to the CCPA. Enforcement of the new law will not begin until July 2023, giving businesses some time to address the new requirements, which provide more consumer protections.
For more: A new watchdog for Big Tech is established in California
In a November article in the San Francisco legal newspaper The Recorder, a trio of attorneys at Gibson, Dunn & Crutcher spelled out some of the biggest additions to the CPRA for companies. One is determining the difference between a consumer’s personal information and sensitive information, which requires more compliance measures. Businesses will also have to again analyze their internet advertising practices and reconsider if they are selling personal data, what is the definition of a sale, evaluate their data minimization and retention practices, update their disclosures and review third-party relationships, to name a few additions.
“As the new law comes closer, there will be even more overlapping considerations for companies to review in light of expanding obligations across the globe,” said Cassandra Gaedt-Sheckter, of Gibson, Dunn, in an interview. “For example, the CPRA adds concepts of data minimization and data retention—that is, only collecting what is truly needed, only using the data for the purpose for which it was collected, and only retaining for as long as necessary—which are considerations that companies may have needed to consider for other laws, such as GDPR in the EU. ”
The existence of the CCPA led to at least 20 class-action lawsuits filed in 2020 against a range of companies, for either failing to protect customer data in data breaches, a lack of notification of data collection, or no opt-out options for the customer, according to a list compiled by the nonprofit International Association of Privacy Professionals, or IAPP.
Some cases are in arbitration, and a few have already been dismissed. Four cases against Zoom Video Communications Inc. /zigman2/quotes/211319643/composite ZM -3.58% have been consolidated into one. This month, Zoom responded with a motion to dismiss, contending that the plaintiffs do not allege that their own personal data was disclosed and instead, allege that Zoom disclosed device data of unspecified users. Zoom also added that invasion of privacy claims contain only a “passing reference” to the CCPA.
Since most class-action suits filed by individual parties tend to settle out of court, it’s not likely these current cases will impact future interpretations of the law. The key will be any actions brought to enforce the new data privacy laws by the state, which will establish precedent for enforcing the new law.
So far, California Attorney General Xavier Becerra has not filed any cases seeking to enforce the CCPA, with other urgent issues taking precedence during the pandemic. Becerra has since been selected by President-elect Biden as secretary for health and human services, delaying any tests more.
“In California, you have this launching of a new law,” said Lee Tien, legislative director at the Electronic Frontier Foundation. “But we haven’t been in the best situation to enforce it, between the jobs that the AG had [to fill] and the coronavirus pandemic.”
And now, that may be a moot point, as the new California Privacy Protection Agency takes over enforcement when the CPRA goes into effect in 2023. The pandemic, change in the AG role and delay in implementing the new law likely means that nobody will know how California’s massive data-privacy efforts are going to work in practice for years to come, which could delay pushes elsewhere for similar legislation.
A few other states, such as New York and Washington, have been looking at introducing data-privacy laws, though not as comprehensive as CCPA. There have been numerous failed attempts at a federal data privacy law in congress.
“When you go state to state, there is no question that after CCPA was passed, there was a lot of discussion. ‘The biggest state in the country just passed this law, maybe something can happen here,'” Tien said. But he doesn’t have any expectations of any congressional consensus on any kind of federal law anytime soon.
“Nothing will happen until the new administration comes in,” said Sundeep Kapur, an associate in the privacy and cybersecurity practice at Paul Hastings in Washington. “There has been talk about a federal law. I do think privacy is on the table, whereas if you had asked a privacy prof a few years ago, they would say no way. Whether it passes is going to be a guessing game.”
Establishing rules for the ‘gig economy’
California’s effort to stem the unfair labor practices of the so-called gig economy hit its biggest roadblock in 2020.
The legislature in California approved Assembly Bill 5, or AB5, in 2019, to codify a recently established judicial standard for what constitutes an employee in the state. The law reclassified many areas of contract workers as employees, giving them protections such as minimum wage guarantees, sick leave, unemployment insurance, overtime pay and other benefits.