WASHINGTON, DC – California Attorney General Xavier Becerra testified today before the U.S. Senate Committee on Commerce, Science and Transportation on California’s privacy laws. Attorney General Becerra discussed data security, privacy rights, and the landmark California Consumer Protection Act (CCPA).
Attorney General Becerra testimony as delivered:
Mr. Chairman, to you, ranking Member Cantwell and to the members of the committee, thank you for this invitation. My apologies for the technical difficulties. But let me go ahead and begin.
State law is the backbone of consumer privacy in the United States, and federal law serves as the glue that ties our communities together. In the data privacy space, the optimal federal legal framework recognizes that privacy protections must keep pace with innovation. That's the hallmark of our data-driven economy. To keep pace, we must all work from the same playbook, yet be nimble enough to adapt to real-world circumstances on the field where we meet them.
Every day, states tackle these challenges. We use federal law as our playbook. Then, like a good quarterback, we adapt to what we see coming at us. As you consider enacting a federal digital privacy law, give us a playbook. But don't preempt smart, nimble privacy protections that let states meet the varying challenges coming at us, from Mississippi to Washington State, to California.
Now, California has been at the forefront of privacy legislation. The right to privacy is enshrined in our state constitution. We enacted the country's first data breach notification law in 2003. Last year, we amended it to protect biometric information as well. Keeping pace with technology is crucial. That's how we were able to hold Equifax accountable for breaching the confidentiality of over 148 million American's Social Security numbers. That's how we were able to hold Uber accountable with nearly $150 million in penalties after it tried to cover up a breach of its drivers' personal information. And that's how California got Glow Inc., which markets a fertility app, to reform its business practices and cure privacy and security flaws before a serious breach occurred and without going to trial. And that, of course, is how California passed the nation's game changing digital privacy law, the California Consumer Privacy Act, (CCPA). When it comes to personal data, Californians now enjoy the right to know, the right to delete, the right to opt out of sale, and the right not to be treated differently if they exercise CCPA rights. For the first time in a legal regime, Americans, at least in California, have the right to tell a business that sells their information, don't. This protection is stronger for minors up to age 16 and strongest for children under 13.
Businesses are working hard to comply with CCPA. We're working hard too. We've issued notices to cure to companies with noncompliant privacy policies. We're verifying that service contracts specify limitations on the use of personal information. We continue to conduct investigative sweeps, and overwhelmingly we have seen real effort at compliance.
Now, CCPA is not perfect, but it is an excellent first step. Here are some ways to improve. Consumers should have a private right of action to complement and fortify the work of state enforcers. My office is working hard to hold companies accountable for violating privacy laws, but defending the privacy rights of 40 million Californians is a massive undertaking. Consumers need the authority to pursue remedies themselves. Consumers deserve their day in court. As California State Senator Hannah-Beth Jackson explained, a right without a remedy is no right at all.We should also know what constitutes illegal data use under civil rights protections. Indirect, inferences based on personal information should not be used against us in health care decisions, insurance coverage, or employment determinations. We also need greater transparency on how algorithms impact people's fundamental rights in health care, housing, employment, and how they may perpetuate systematic racism and bias.
Businesses that dive deep into collecting our data should also disclose specifics of the data they collect. They should minimize the collection of personal data and use that data for the purpose the consumer allowed. Finally, consumers should have the ability to correct errors in personal data.
Mr. Chairman, today, as we battle a pandemic that has moved so much of life online, companies know more about us, our children, our habits than ever before. That data is today's gold. And as with gold, there's been a rush to mine, use, and sell our personal information. Americans need robust tools that allow them to understand who has their data, what was collected, if it can be deleted, and how they can opt out of downstream selling. As you consider federal legislation to advance much-needed privacy rights to consumers across the country, I urge you not to preempt the important work and nimble innovation like CCPA that is happening at the state level. States are the laboratories of democracy. I urge you to favor legislation that sets a federal privacy protection floor, not a ceiling. That's a model that Congress has employed in other consumer protection legislation.
And in conclusion, I know I speak for my colleagues when I say we are ready to offer you our support and the insights of our experiences and best practices as you move forward.
Thank you, Mr. Chairman.
Attorney General Becerra’s written testimony is available here.