Here at Techdirt we've taken issue with the California Consumer Privacy Act (CCPA), not because there's anything wrong with online privacy, or even all online privacy regulation. But there's definitely something wrong with regulating it badly. As we've seen with the GDPR, not only does poor regulation struggle to deliver any of the intended benefit, but it also causes all sorts of other harm. Thus it's enormously important to get this sort of regulation right.
But that's not the current iteration of the CCPA. Born out of an attempt at political blackmail, rather than considered and transparent policy making, even with several small attempts at improvements, it suffers from several showstopping infirmities. These were set forth in a letter to the California legislature organized by Eric Goldman, who has been closely tracking the law, and signed by 41 California privacy lawyers, professionals, and professors (including me). As he summarized in a blog post hosting a copy of the letter, these defects include:
That the law affects many businesses who never had a chance to explain the law’s problems to the legislature; That compliance with the CCPA imposes excessive costs on small businesses; That its inconsistencies with other privacy laws including the GDPR requires businesses to waste extra money; The CCPA undermines other consumer privacy laws; There are drafting errors and other problems, including with overbroad definitions; and It claims an extraterritorial reach that may not be Constitutional, and will create substantial confusion for everyone, as well as costs for the state, as the question is litigated.
In other words, we can do better. As the letter concludes:
Everyone has acknowledged that the CCPA remains a work-in-progress, but there may be some misapprehensions about the scope and scale of the required changes still remaining. In our view, the CCPA needs many substantial changes before it becomes a law that truly benefits California. We appreciate your work on these important matters.