“Your move,” says the new California Consumer Privacy Act of 2018.

Except, this isn’t a game of chess—picture it more like a million-piece jigsaw puzzle called “Cats Around the World,” and it’s been spread out on your dining room table for the past twenty years and you’re only 40 pieces in.

(Sounds like a party, am I right?)

Here’s the thing: the data privacy law that was signed on Thursday by California’s Gov. Jerry Brown is a new piece of the data privacy jigsaw puzzle that has served as the U.S.’s means to protect its citizens’ privacy. It’s certainly a huge step in terms of improved privacy laws, but it’s not quite clear how it fits into the nation’s “big picture.”

So far, the U.S.’s privacy law game is patchwork and somewhat messy. We have federal laws like The Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA), and the Children’s Online Privacy Protection Act (COPPA), which are aimed at specific sectors, and we also have state statutes that are aimed at the rights of individual consumers. However, there is no single principal data protection legislation, which means the currently enacted laws don’t always work together cohesively.

And this adds to one big, confusing jigsaw puzzle with pieces that sometimes overlap and contradict one another.  

Up until now the timeline of such regulations have been slow and piecework. Most of our states are weak in terms of their data protection, with a few states—Florida and Massachusetts, for example—serving as “leaders” in data privacy regulations.

Already this year we’ve seen the EU’s General Data Protection Regulation (GDPR) going into effect, and we’ve also seen (way too many) data breaches in the states. The issue of data privacy is gaining notice throughout our nation and throughout the rest of the world, and now some of us are wondering: what does the future hold in terms of data privacy in the U.S.?

California’s sweeping law seems to be a good step in the right direction, but how does it fit into the rest of the puzzle?

An “Interesting” Piece, To Say The Least

California’s new privacy law will give consumers more control over their data and force data-holding companies to become more accountable and transparent.  The Act establishes the right of California residents to know what personal information about them is being collected and to whom it is being sold, plus the ability to access that information and delete it. Additionally, the Act will establish an opt-in consent for individuals under the age of 16.

It’s coming into effect in the wake of the new EU law that was enforced in May, and although it isn’t as extensive as the GDPR, it’s certainly proving to be a forerunner of U.S. privacy rights. 

However, the Act also had an interesting path—surprisingly, it didn’t face much opposition from major companies despite its fleshed out regulations.

Why not?

Because there was also a ballot measure—the California Consumer Personal Information Disclosure and Sale Initiative—that had been cleared for a vote in California in the fall, which would have proved to be an even greater challenge for companies due to its tighter restrictions and higher fines.

Major companies—like Facebook, Verizon, Uber, and Google, among others—were already lining up against the ballot, and some donated to the Committee to Protect California Jobs in a further effort to oppose it.

Leaders of the Committee to Protect California Jobs said in a statement, “This ballot measure disconnects California. It is unworkable, requiring the Internet and businesses in California to operate differently than the rest of the world…”

In the end, even though enough signatures were collected for the initiative to appear on the ballot, a compromise was reached instead. This resulted in the proponents withdrawing the initiative and the newly approved Consumer Privacy Act entering the world.

So, to sum up the story, the end result basically came about from many of the voters having to choose between “I don’t like this” or “I really don’t like this.”

…Which kind of sounds like the debate you’d have while shopping for the top two hardest bingo games at the store because it’s your great aunt’s birthday and she wants to party.

The “Puzzle” Thus Far: A Quick Data Privacy Timeline

The California Consumer Privacy Act arrives as a new and shiny addition to a slow and dusty timeline of U.S. privacy regulations.

Let’s take a quick peek at a timeline of some of our nation’s data protection laws:

1974 – Family Educational Rights and Privacy Act: restricts disclosure of educational records

1978 – The Right to Financial Privacy Act: restricts disclosure to the government of financial records of banks and financial institutions

1986 – Computer Fraud and Abuse Act: prohibits unauthorized access to obtaining financial information, causing damage, obtaining something of value, or affecting medical records

1986 – Electronic Communications Privacy Act: protects electronic communications during production, transit, and storage, and applies to email, telephone conversations, and data stored electronically

1988 – Video Privacy Protection Act: prohibits videotape sale and rental companies from disclosing data

1994 – Driver’s Privacy Protection Act: restricts states from disclosing state drivers’ license and motor vehicle records

2000 – The Children’s Online Privacy Protection Act: restricts collection of data from children under the age of 13

2003 – Health Insurance Portability and Accountability Act: protects and establishes standards for the electronic exchange and security of health information

Because the U.S. takes a sectoral approach to regulating privacy, many of the current regulations overlap in some areas while providing gaps in other areas.

For example, the Family Educational Rights and Privacy Act (FERPA) generally covers data like student immunization and medical records, but it sometimes conflicts with COPPA, which only protects data for children under the age of 13.

With ever-growing sources of sensitive and valuable data, and the increasing risk of that data being mishandled and exposed, a need for solid privacy regulations is bigger than ever.

But with a sectoral approach to regulations, the result is that maintaining standards of data privacy becomes a confusing and complicated task.

The Big Picture (Hopefully Not Of Cats)

There was a time when the sectoral approach was deemed by many U.S. organizations to be preferable to a more overarching approach like the GDPR: industries could establish a more “individualized” way of regulation that suited their needs, and the hodgepodge of regulations sometimes created gaps that organizations could fall into.

However, now the gaps are smaller and the replacing overlaps make it significantly more difficult and complicated for organizations to appropriately handle their data. The U.S. is still an outlier in its privacy approach, but now it’s starting to get a really bad rap across the globe.

The new California Consumer Privacy Act of 2018 is one more piece to add to the immense jigsaw puzzle that makes up the U.S.’s approach to privacy laws, but it begs important questions: how well will it fit in with already existing regulations, and how much of an influence will it have in future regulations being established?

Ideally, the nation’s future of data privacy laws will be cohesive, clean, and fit together well in a way that thoroughly protects citizens’ data and is adaptable to numerous industries.

California has made a big step towards the future of data privacy—here’s to hoping that only good things will follow.