It has long been the case that what happens in California, legislatively, tends to spread across the country. There are numerous examples where the state has been a catalyst for legislation introduced in other states and has prompted discussions at the federal level. But California is not alone in this policy incubator phenomenon. California, Oregon, and Washington specialize in advancing progressive ideas. We have witnessed this more recently with privacy. While much of the motivation by policymakers is a reaction to developments in the technology industry, the legislative response tends to be less precise and spills over other business segments.
Case in point, in 2018, the California Legislature passed the most comprehensive privacy law in the United States known as the California Consumer Privacy Act (CCPA). Among other provisions, the CCPA establishes consumer rights: 1) to know the personal information a business collects on them; 2) to delete their personal information; 3) to prevent sale of their personal information and; 4) to be free of discrimination in the offering and pricing of services based on the consumer’s exercising these rights. The law also provides a private right of action when a consumer’s nonencrypted and nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s failure to maintain reasonable security procedures.
And even though policymakers knew the CCPA needed further refinements, including finalization of rulemaking that remains pending, we knew the action taken by California would result in various states attempting to model the CCPA. An example of this is pending legislation in Washington. Discussions with stakeholders began in late 2018 following the enactment of CCPA. However, the effort quickly bogged down due to competing interests and disagreements on how far the policy should go. Neither side could reach consensus on solving major policy issues such as the use of facial recognition technology and creating a private right of action for violations, causing these initial efforts to stall.
Washington lawmakers have reintroduced two measures this year. Legislation passed from the Senate (SB 6281) contains a GLBA data exemption and is now in the House for consideration. A companion House bill (HB 2742) passed from the policy committee but ultimately died due to substantive amendments that included a private right of action opposed by the business community. It is anticipated that the onerous language from the House measure will be forced into the Senate bill; this may cause lawmakers to finish the year without enacting CCPA-like privacy legislation with the debate continuing next year.
And in Oregon, the topic of facial recognition regulation is rearing its head. While the Oregon Legislature has not taken up the subject so far, the city of Portland is exploring whether to regulate its use. Proposed ordinance language has not been made public, and discussions with stakeholders are ongoing. The city appears to be looking to solve three broad issues: first, whether there should be regulation on facial recognition technology in public spaces; second, what regulation or limitations, if any, should be put in place for facial recognition technology used on private property, including commercial property; and, third, whether there should be regulation on the use of data derived from facial recognition technology. While the timeline for adopting a plan has not been determined, it is possible that an ordinance could be in place later in the spring or early summer.
Even in more conservative states, like Arizona, two measures are pending that bear significant resemblance to the CCPA. While the legislation is not expected to pass, it is further evidence that what happens in California doesn’t typically stay in California.
For banks that operate in different parts of the country, what happens on the West Coast matters. So, what other public policy issues under discussion in California might spread? Last year, the governor signed a measure allowing municipalities to establish a public bank under the false narrative that private sector banks were misaligned with the value of their communities. We know that public banking advocates will take their success in California and attempt to export it to other states.
This January, Governor Gavin Newsom unveiled plans to restructure the regulatory agency that oversees California state-chartered financial institutions. Under the plan, the California Department of Business Oversight (DBO) will be renamed as the Department of Financial Protection and Innovation (DFPI) and will increase its emphasis on consumer protection and innovation relative to financial technology and products. These reforms are being advanced, in part, given concerns about a shift in priorities at the federal level, a desire for the state to demonstrate ongoing leadership, and an interest in fostering innovation and establishing the appropriate controls for providers of financial services.
According to preliminary information provided by the DBO, the purpose of this proposal is to 1) restore financial protections that have been paralyzed at the federal level; 2) protect consumers from predatory businesses, without imposing undue burdens on honest and fair operators; 3) spur — not stifle — innovation in financial services by clarifying regulatory expectations for emerging products and services; 4) extend state oversight to important financial-services providers not currently subject to state supervision; 5) increase public outreach and education, especially for vulnerable populations; and 6) provide more effective response to consumer complaints.
Should the plan to restructure DBO be successful, we anticipate other states will follow. California relishes and takes great pride in its role as a legislative pioneer. As the legislative year in California unfolds, we’ll have a better sense of public policy issues that may catch fire elsewhere.