By Amy E. Keller and Adam J. Levitt
Some of the most malicious actors on the internet inflict harm by assuming benign personae. Hackers pose as system administrators. Catfishers simulate attraction. Email scammers spin elaborate tales of distress. To this list of dangerous pretenders, we must now add another seemingly benevolent group: Fortune 100 CEOs.
In September, 51 CEOs from the Business Roundtable published an open letter urging congressional leaders to pass a “comprehensive data security law that strengthens protections for consumers.” Signatories include the CEOs of Amazon, AT&T, IBM, and Visa. When these corporate leaders assert that “[w]e are committed to protecting consumer privacy,” it is tempting to believe they are acting from genuine concern for consumers whose personal data is in their care. Of course, it’s also tempting to believe the pleas of Nigerian princes.
In both cases, it’s naïve to do so. The timing of the letter, and the content of its legislative proposal, make it painfully clear that the CEOs’ goal is not to protect consumers, but rather to limit consumers’ rights and remedies and insulate the CEOs and their companies from legal exposure.
Data breaches have plagued consumers for well over a decade—even before a 2005 breach leaving 92 million AOL customers’ information compromised. Since then, more than 4,500 breaches, affecting more than 800 million individual records, have been stolen and forced into the public square.
This late in the game, the Roundtable CEOs did not suddenly find religion on data security. Rather, their effort—and their current sales pitch for that effort—was spurred, instead, by a sweeping California privacy law that becomes effective in less than four months—and their desire to neuter it.
CCPA’s Private Right of Action Is Vital
The California Consumer Privacy Act, however, is precisely what the CEOs claim to want: “a comprehensive data security law that strengthens protections for consumers.” Applying across industries, the CCPA provides consumers with a collection of significant data privacy rights, including the right to opt out of the sale of their personal information to third parties, and the right to damages for breaches that occur when businesses fail to maintain reasonable data security.
That private right of action—and in particular, the fact that the CCPA enables consumers to recover $100 to $750 for each incident—is a vital legislative benefit. Consumers are rightfully fed up with the data breach epidemic; yet, existing laws neither carry the deterrent force to make companies prevent breaches, nor provide consumers with sufficient relief to compensate them. Moreover, when consumers do attempt to seek relief against large, well-resourced companies—such as the Roundtable companies—they face significant litigation costs and aggressive defense tactics.
Not only are consumers expected to make their case when a corporation cloaks the most useful, internal documents with a claim of “privilege,” but they must also open up their own online practices to scrutiny, as most companies now argue that they can’t be held responsible for their own negligence due to all of the other breaches a consumer has already lived through.
This creates a perverse dynamic: corporations are allowed to collect and substantially profit from consumers’ data, while, at the same time, contending that they have no duty to protect it because some fragment of it is already on the black market.
Unfortunately, some courts are agreeing with defendants—finding that corporations owe no duty to keep personal data secure, or that consumers cannot sue a corporation until their identity is actually stolen. By then, however, it’s often too late for consumers to take steps to protect themselves.
Against that background, the CCPA offers urgently-needed protection for consumers, the crown jewel being its private right of action, which empowers consumers to directly sue companies for CCPA violations.
Because state borders have limited relevance to the Internet, however, some of the CCPA’s most significant benefits would effectively establish a floor of protections that corporations would, in practice, offer to all U.S. residents as the price of doing business in California (not unlike the current conflict between various automakers and the Trump administration regarding those automakers’ decision to follow California’s more stringent vehicular emissions standards, rather than the lower standards that the administration recently proposed).
Request to Gut Law
It is revealing, then, that the Roundtable CEOs are not embracing the law. Instead, their letter is a request for Congress to gut it.
Instead of requesting that Congress enact nationwide legislation materially similar to the CCPA, they demand that Congress pass a watered-down bill that gives the appearance of protecting consumers, while rendering state laws on the subject invalid through the exercise of a federal power known as preemption.
The CEOs claim that federal legislation should preempt state laws to avoid a “patchwork of inconsistent laws,” which could confuse consumers about their rights. Of course, inconsistency and confusion can be remedied by a federal law that vigorously protects consumers as easily as one that abandons them.
And yet, the CEOs’ legislative proposal demonstrates that their true goal is the latter. The final words of the Roundtable CEOs’ policy framework exposes their purported concern for consumers as a lie, when it asserts that a “national consumer privacy law should not provide for a private right of action.” Put simply: if Congress accedes to these CEOs’ demands, consumers will be denied access to justice and stripped of their right to hold companies accountable for mishandling their data.
That advice, if taken, would work tremendous harm to consumers while ensuring that massive data breaches remain a fact of modern life. Congress should step in with federal legislation only if it provides protection at least as strong as the CCPA. If Congress follows that path, it will not be alone in rejecting the Business Roundtable’s disingenuous letter. The 51 who signed it are, in fact, a minority of that group. Perhaps those who elected not to sign that letter saw this stunt for exactly what it was: merely the latest, most sophisticated cyberattack to threaten consumers nationwide.
This article was originally published as a Bloomberg Law Insight.