The impending fallout from various new data privacy policies

The road of best intentions can be unintentionally fraught with setbacks and unexpected dead ends when too many “cooks in the kitchen,” get their hands on the recipe. This is a problem we

are seeing borne out with the confusing and disjointed implementation of various new data privacy policies.  Good laws make good sense. But until more is understood about the challenges of

complying with existing data privacy statutes, the Legislature and regulators need to put the brakes on adding new requirements that harm California business while they are trying to recover

from significant pandemic-related impacts. For our Asian American-owned businesses, nearly one-third had reported that their operating capacity decreased by more than 50% in 2021, according

to a UCLA survey. Additional mandates will make business recovery even harder. The California Consumer Privacy Act, which governs the collection, use and disclosure of consumers’ “personal

information,” was enacted in 2018 and took effect Jan. 1, 2020. In September of 2019 – months before the new law even took effect – the Legislature passed and Gov. Gavin Newsom signed into

law five major amendments to the privacy act, one day after then-Attorney General Xavier Becerra released proposed new implementing regulations. In 2020, the Legislature imposed multiple

additional requirements via at least four new laws, and in November of that year, voters approved the California Privacy Rights Act, which significantly amended and expanded the California

Consumer Privacy Act.  Additionally, the California Privacy Protection Agency, the governing agency created by the California Privacy Rights Act, has proposed implementing new regulations.

The Department of Justice announced its intent to begin an “investigative sweep” of businesses operating in alleged noncompliance with provisions of the California Consumer Privacy Act. This

is very worrisome, especially for those of us representing minority-owned small businesses who historically are unaware of new government mandates and changes.  The chaotic, rapid-fire

onslaught of privacy laws and regulations threatens to eclipse a sincere and well-intentioned effort to protect California consumers.  It is highly likely businesses will be paying higher

costs. According to an economic analysis report prepared for the attorney general, the original California Consumer Privacy Act presented operational and compliance costs which could total

$55 billion. The new privacy laws and regulations will impact most California businesses.  Many businesses are under the impression that the data privacy rules and regulations only apply to

big tech and large corporations, but in reality, it is our small- and medium-sized businesses that will be impacted the hardest, either directly by having to develop a comprehensive and

expensive privacy infrastructure or indirectly when free products and services are eliminated or moved to a subscription model. The laws are so confusing, complex and ever-changing that many

companies are simply not complying. A recent study by technology security firm CYTRIO found that 89% of affected companies in the U.S. are not compliant or only partially compliant. Only

11% overall have automated Data Subject Access Requests, a key element that gives consumers the right to access their own data; almost half (45%) utilize expensive, time-consuming and

archaic processes like email and web forms to comply with requests, and 44% lack any mechanism whatsoever.   It’s not that they don’t want to comply; after years of changes and new

requirements, they don’t know how_ _to comply.  But the worst damage is to everyday Californians. Consumers, likely confused from the start, have no idea of the potential loss of free

services and introduction of paywalls that may result from a landslide of mandates and limitations on the operations of the internet.  Before more damage is done, the California Legislature

and California Privacy Protection Agency need to commit to a redemptive and measured approach to data privacy issues.  Lawmakers must stop making changes to the existing laws and work in

concert with affected stakeholders, as well as review existing laws and analyze the positive and negative impacts of current regulations. And only then should the Legislature and the

California Privacy Protection Agency consider whether additional policies are necessary.  _____ _Pat Fong Kushida has also written about why California lawmakers must __commit to small,

minority-owned businesses__ and why an __Asian American Pacific Islander should replace__ Kamala Harris in the U.S. Senate._ _____