California has passed a baseline consumer privacy law called the California Consumer Privacy Act — the first ever to make it into statute in any American state. The politics triggering this development were intriguing: a real estate developer seized on the public sentiments induced by the Cambridge Analytica incident and took on Silicon Valley’s titans, funding a $3 million campaign for a ballot initiative to legislate sweeping new privacy reforms.

Boxed in by the popularity of the initiative, internet-based and internet-dependent companies – which are most affected by privacy legislation because their business models are premised on access to personal data — were forced to accept the reality that some form of privacy legislation would pass. Thereafter, California lawmakers worked feverishly to construct a bill that could be more workable for businesses than the ballot initiative but which would still protect individual privacy. The law was negotiated, written, and passed in a previously unimaginable period of just seven days.

ADVERTISEMENT

It is frustrating that such an important law was developed in such a short period of time; situations like these can result in unintended consequences, loopholes, or lax protections for consumers. It will have implications for all Americans; most companies would rather adopt the most protective standard rather than create one system for Californians and a separate one for everyone else. Congress can and should build on it in a thoughtful way at the federal level.

The promise of the internet and the digital economy is its power to democratize commerce and discourse. That power, however, is largely dependent on the ability to provide internet-based services in exchange for targeted advertising. That’s what makes these services free and widely used. But this model necessitates corporate access to people’s information. What the California law gets right is that this access should be transparent and consistent with a consumer’s preferences and permission; that establishes a dynamic that forces companies to be explicit in the exchange of value with the consumer.

Key provisions in the California bill that represent progress include, first, its stipulation that everyone should have the right to know who is collecting and using their information and for what specific purpose. It also affords people the right to object to the sale or distribution of their information. Third, residents will have the right to object to any specific party’s stewardship of their data as it travels through the digital ecosystem. And lastly, residents will have the right to demand access to information that commercial actors hold on them — and demand its deletion if they wish.

It is also critical to note that the California law recognizes that nothing is free. Ad-supported commercial service providers have rights too, including the right to monetize the provision of those of services. If a consumer is going to exercise his or her right to deny that monetization through interest-based advertising, that decision should not be penalized but neither should it be rewarded. The California law posits that a service provider cannot deny a service on the basis of a consent choice – but that it can also make up the monetization lost through some other form of compensation. This is a key recognition in the law that deserves further analysis on how best to execute on the principle in question.

But Congress needs to act because the California law does not incorporate some key ideas that have been presented in prior deliberations. For example, the OECD privacy principles and prior efforts at legislation in the United States, including the bipartisan Kerry-McCain Commercial Privacy Bill of Rights Act of 2011 and the Obama administration’s Consumer Privacy Bill of Rights, are all useful guides for constructing new law and building on the California benchmark.

Valuable provisions from the previous efforts cited are that federal legislation should focus on encouraging privacy by design and sound data management practices without favoring one kind of data collector over another. And legislation should not imply that the exchange of data is inherently bad; it is not.

Instead, privacy is about offering the individual greater control and transparency into corporate practice. A legislative framework that encapsulates these ideas can help us retain what is good about the data-driven economy and simultaneously rein in malicious actors. And lastly, to preserve implementation flexibility and innovation, new law should establish a framework to enable self-regulatory programs certified by federal regulators to police corporate activities in accordance with legislated principles and requirements.

The goal should be to focus on outcomes rather than process and ensure that the consumer’s interests are placed at the center of the digital ecosystem. The California initiative spurred the California law and hopefully, the California law can spur us to transparent, inclusive and deliberate action at the federal level.

Daniel Sepulveda is vice president for Global Government Relations at MediaMath, and served as deputy assistant secretary of State and U.S. ambassador from 2013-17.

Dipayan Ghosh is a fellow at the Shorenstein Center at the Harvard Kennedy School. He served as a technology and economic policy advisor in the Obama White House, and until recently worked on privacy and public policy at Facebook.