California works to tame the Wild West of digital privacy

Sephora normally sells mascara, eye masks, and other beauty items. But it forked over a $1.2 million settlement in a California court last week for selling a product shoppers won’t find advertised anywhere on their website: aggregated consumer data.

The beauty company had been collecting and selling the habits of thousands of shoppers to third parties, a practice that wouldn’t normally have been an issue in most states. In California, a 2020 law forbids such practices without first informing consumers and allowing them to opt out of digital tracking. That’s something Sephora had failed to do. The company has since changed its practices to comply with the policy.

As Sephora learned the hard way, California’s privacy policy has teeth. State Attorney General Rob Bonta made it clear the government won’t shy away from using them.

“[Privacy] rights are meaningless if businesses hide how they are using their customers’ data and ignore requests to opt-out of its sale,” Bonta said in an online statement. “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable.”

California has taken the lead in adopting digital privacy legislation, putting pressure on Congress to address the issue at the federal level. As many as 30 bills that have to do with the issue have been introduced in the past two years. The passage of a congressional measure could supplant laws put in place by individual states.

The pressure doesn’t mean that Congress has a clear direction to go in. On the contrary, Congress is struggling to figure out the scope and level of specificity it wants to use to address digital privacy.

Republican Sen. Marco Rubio of Florida joined Sen. Elizabeth Warren, D-Mass., to introduce a bill designed to forbid the sale of U.S. service member information internationally. And following the overturn of Roe v. Wade, U.S. Rep. Sara Jacobs, D-Calif., introduced an act that would clamp down on the distribution of information gathered on pregnancy apps.

One of the most comprehensive bills that’s been introduced so far is titled the “American Data Privacy and Protection Act.” It looks to establish guidelines for how companies handle personal data that could be tied back to an individual user. Its text is similar to the California law. If passed, the bill would instruct companies to collect data only as needed for the provision of services, to require a secure way of housing that information, and to create a way for users to request the removal or deletion of their data. It would also prohibit the sale of personal information without the express consent of the user.

For the data collection industry, this act would represent a massive departure from existing restrictions. Unlike many bills in Congress, it enjoys some bipartisan support. Its author, Rep. Frank Pallone of New Jersey, is a Democrat, and two of its three co-sponsors come from the GOP.

In addition to protecting consumers, Congress is eying legislation to simplify compliance for companies like Sephora, who have to navigate privacy policies in 50 different states. The rigidity of these individual requirements isn’t at the heart of the issue—after all, companies that collect data internationally also have to meet much higher levels of security in the European Union. But federal regulations would make the rules easier to follow by establishing a single standard, giving companies a better chance to dodge multimillion-dollar penalties.

The Electronic Frontier Foundation raised concerns that the proposed federal law would not necessarily be as strong as the existing California law or those in Connecticut, Colorado, Utah, and Virginia.

“Federal privacy laws should not roll back state privacy protections. The [American Data Privacy and Protection Act], as currently written, would override a broad swath of existing state laws and prevent states from future action on those areas,” the foundation wrote in a letter to Congress. “There’s strong precedent for federal privacy laws to serve as a floor but not a ceiling.”

House Speaker Nancy Pelosi, D-Calif., opposes the federal proposal in its current form. She said she will work to find a way to make the bill compatible with state-level privacy solutions.

While Congress continues to evaluate which path it wants to take, California’s state legislature is expanding its already robust privacy library. Just last week, the Golden State passed the California Age Appropriate Design Code Act with a unanimous vote. The act isn’t set to go into effect until 2024, but it is changing the landscape of privacy by setting stringent requirements in data collection relating to minors. For now, California is setting the tone on privacy with the knowledge that its efforts could be shortly supplanted.