Privacy Wins, No Matter Who Claims California Senate Seat

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George R. Lynch

July 27 — Two candidates with significant privacy records are vying for California's open U.S. Senate seat, meaning that no matter the outcome, a seasoned policymaker with the potential to elevate privacy on a national level will join the body.

Both candidates—California Attorney General Kamala Harris (D) and Rep. Loretta Sanchez (D-Calif.)—told Bloomberg BNA that if elected they will make data privacy a priority. Both touted their privacy resumes, saying that they have taken strong positions on privacy and cybersecurity issues in the past.

Sanchez has been a long-time member of the Committee on Homeland Security panel that has jurisdiction over cybersecurity—presently named the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.

“I have been a strong supporter of privacy and protecting our civil liberties,” Sanchez said in a statement provided through a spokesman in response to Bloomberg BNA questions. “I have 20 years of armed services experience and counter terrorism experience. I understand the cyber threats America faces at home and abroad,” Sanchez, who is in her tenth term representing Orange County, including Anaheim and Santa Ana, said.

Harris, who was elected attorney general of California in 2010 and reelected in 2014, has been active in data privacy enforcement as well as collaborative self-regulatory efforts with the tech industry.

Privacy/Cybersecurity Positions

“I will absolutely make data privacy a priority if elected,” Harris told Bloomberg BNA in statement provided through a spokesman in response to Bloomberg BNA's questions. “With the growth of the internet of things, business incentives to monetize data, and the rise in hacking, data privacy will only continue to be more important,” Harris said. “And recent events like Pokemon Go highlight just how important it is to be vigilant and focus on privacy and security by design.”

To some extent, the consumer privacy focus of the candidates isn't surprising given the presence of Silicon Valley. The Golden State plays a leadership role in tech-related issues, including how personal data is collected, retained and used. Harris and Sanchez are both Democrats because California sends the top two primary vote getters to the fall election regardless of their political affiliation.

“Harris and Sanchez both have a good grasp on the issue of privacy and cybersecurity,” Electronic Information Privacy Center Chief Technology Officer and State Policy Coordinator Caitriona Fitzgerald told Bloomberg BNA.

Privacy, Security Legislative Priorities?

Harris outlined her data privacy priorities to Bloomberg BNA:

  • Cybersecurity—“We need to make sure that organizations, businesses and governments that control vital infrastructure take all reasonable measures to ensure data security.”;
  • Data use transparency—“Companies need to do a lot more to help consumers actually understand what is happening with their data,” she said, adding that the U.S. “relies heavily on notice and choice.”; and
  • Privacy by design—She favors more detailed choice and privacy by default settings on products.


“Right now many consumers are given a choice between accessing services/content in exchange for data, which ultimately may go off to third parties that no one can control,” Harris said. Consumers should have “true control and choice” on how their data are used, she said.

Sanchez's campaign didn't respond to a Bloomberg BNA question about her data privacy legislative priorities.

California: Data Privacy Hub

“California has been a world leader both on information technologies and data privacy legislation,” Lothar Determann, partner at Baker & McKenzie LLP in Palo Alto, told Bloomberg BNA.

California has a unique role in the data privacy and security law and policy due to Silicon Valley's technology companies and its historic role in privacy law innovation.

Unlike the U.S. Constitution, California's constitution specifically protects the right to privacy.

California enacted the first-in-the-nation data breach notification statute in 2002. When it took effect in 2003, the law was considered to be relatively radical. It requires companies possessing or controlling personally identifiable information to notify individuals of a security breach if the personal information was or was presumed to be accessed by an unauthorized person. Now, 46 other states and the District of Columbia have breach notice laws.

Even by California standards, Kamala Harris has been particularly active as attorney general and equipped the attorney general's office to handle data privacy issues.

“California will always be a champion on privacy rights,” Jules Polonetsky, chief executive officer of the Future of Privacy Forum told Bloomberg BNA, “but Harris built a real resource of experts.”

Privacy Dream Team

Harris created the Privacy Enforcement and Protection Unit in 2012 within the California Department of Justice's eCrimes Unit, which Harris formed in 2011. The Privacy Enforcement and Protection Unit doubled the number of prosecutors dedicated to enforcing state and federal privacy laws and focused on public education, outreach and building partnerships with the private sector (11 PVLR 1174, 7/23/12).

The unit was staffed with seasoned experts. It was led by Travis LeBlanc, former special assistant attorney general for technology for California and current enforcement bureau chief at the U.S. Federal Communications Commission. Former director of California's Office of Privacy Protection, Joanne McNabb, was appointed as director of privacy education and policy.

The unit “brought cases against companies for data breaches as well as companies that did not have needed privacy practices,” Harris said.

Under Harris, the California Attorney General's Office has been involved in litigation that has resulted in a $26 million settlement with Comcast Communications Management LLC for improper data disposal (14 PVLR 2325, 12/21/15), and a $8.5 million settlement with Wells Fargo Bank NA for recording customers' phone calls without their knowledge (15 PVLR 726, 4/4/16).

“We've worked with the tech sector to encourage the adoption of strong privacy policies in mobile apps,” Harris said.

“The Electronic Privacy Information Center actually awarded Harris with our champion of freedom award in 2015 for her work on consumer privacy,” EPIC's Fitzgerald said.

Creative Privacy Enforcement

Harris has also collaborated with industry in addition to using her enforcement authority. The unit proactively reached out the technology industry, Determann said. Under Harris, the California Office of the Attorney General released a number of guidelines with recommendations for companies on issues, such as mobile privacy and privacy policies.

Many state attorneys general put out guides, but “under Harris, the AG's office was pretty entrepreneurial and very creative in using a range of tools from enforcement to the bully pulpit,” Polonetsky said.

For example, Harris secured an agreement in 2012 with the companies that comprise the majority of the platforms for the apps market—Amazon Inc., Apple Inc., Alphabet’s Inc.’s Google, Hewlett Packard Inc., Microsoft Corp. and Blackberry Ltd. (at the time, Research in Motion Ltd.)—to require that the industry comply with California’s requirement that mobile apps that collect personal data have a privacy policy (11 PVLR 375, 2/27/12).

The 2012 agreement was “one of the most effective privacy protection measures in the mobile space,” Determann said. “The platform-embedded controls, notices and consent prompts regarding data sharing between apps, access to certain data and location data collection are much easier to understand and use than individual company privacy statements.”

Harris even gave a very California-esque warning to United Airlines Inc. by using Twitter Inc. to put United on notice for not including a privacy policy in its new app.

Many companies have criticized federal and state regulators for enforcing data security without establishing clear standards. In February, Harris did something to plug that hole, defining a “reasonable data security” standard for the state (15 PVLR 383, 2/22/16).

Being an Effective Privacy Senator

Being passionate about privacy doesn't necessarily translate into being an effective privacy champion in the Senate, and being a state-level leader doesn't necessarily lead to success in pressing an agenda in Congress, privacy leaders told Bloomberg BNA.

To have a real privacy impact in the U.S. Senate, senators need to be on committees with appropriate jurisdiction over the issues they care about. “To truly be a significant player in the Senate, you need to be on the relevant committees,” Polonetsky said.

The Senate committees that are most active in the privacy sphere are the Commerce, Science and Transportation Committee and the Judiciary Committee, he said.

Sen. Richard Blumenthal (D-Conn.) was a privacy champion as attorney general of Connecticut before being elected to the Senate. However, he hasn't been as active with privacy legislation as privacy advocates had hoped.

Sanchez has over a decade of experience on a congressional committee with cybersecurity jurisdiction as a long-time member of the House Committee on Homeland Security's cybersecurity subcommittee. The subcommittee has jurisdiction over the Department of Homeland Security’s cybersecurity mission, the critical infrastructure sectors and private-public cybersecurity threat information sharing.

As a subcommittee member, Sanchez co-sponsored the Executive Cybersecurity Coordination Act to create the National Office for Cyberspace in the White House to coordinate federal information security policy (10 PVLR 443, 3/21/11). She also has been active in sponsoring bills and amendments to protect personally identifiable information and e-devices during border searches (13 PVLR 251, 2/10/14), and won passage of a minor amendment that added a privacy official to a DHS stakeholder group that reviews legislation.

“Sanchez also voted against the Cybersecurity Intelligence Sharing and Protection Act due to privacy concerns that the bill would've opened the door to further surveillance,” Fitzgerald said.

Senators from California, however, may be able to wield influence in the privacy area without being on the relevant committees due to the state's out-sized stature in the technology sector. And this could especially apply to Harris, who was a district attorney in the San Francisco area and active in a state-wide office.

“Harris could be an exception as someone who represents many of the key companies that would give her a unique status as someone who has real chops on cybersecurity issues and as a voice representing Silicon Valley with ties to the industry, who has successfully to put in place privacy agreements,” Polonetsky said. “Sanchez will be less likely to be able to walk in as a force. If she’s on the right committees, she has the right opportunities by representing Silicon Valley.”

Law Enforcement Access

Sanchez and Harris have taken different approaches on law enforcement access to information. That issue was the focus of the Apple-Federal Bureau of Investigation case in the wake of the San Bernardino, Calif. terrorist attack (15 PVLR 414, 2/29/16).

Sanchez came out strongly in favor of Apple's challenge to the FBI's order to unlock the San Bernardino shooter's encrypted iPhone. “I fully support Apple's decision to fight the court order through the judicial process AND I believe Congress must address the broader policy issues raised by this case,” Sanchez said in a statement released at the time.

Harris called for an approach that balanced the requests of law enforcement with protecting individual privacy. “Harris avoided taking a position on the Apple-FBI debate,” Fitzgerald said.

Privacy advocates are just hopeful that these, or any other candidates, may lift privacy into the national conversation.

“We’d like candidates to talk about issues of data breaches, identity breaches, consumer privacy. These are huge issues for Americans and they’re not being talked about enough,” Fitzgerald said.

To contact the reporter on this story: George R. Lynch in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.