A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet

[Update: the law passed and I’ve posted a 3k word primer about it]

By tomorrow, the California legislature likely will pass a sweeping, lengthy, overly-complicated, and poorly-constructed privacy law that will have ripple effects throughout the world. While not quite as comprehensive as the GDPR, it copies some aspects of the GDPR and will squarely impact every Internet service in California (some of whom may be not currently be complying GDPR due to their US-only operations). The GDPR took 4 years to develop; in contrast, the California legislature will spend a grand total of 7 days working on this major bill. It’s such a short turnaround that most stakeholders won’t have a chance to participate in the legislative proceedings. So the Internet is likely to change radically tomorrow, and most people have no clue what’s coming or any voice in the process.

As bad as this sounds, the legislature’s passage of the bill is likely the GOOD outcome in this scenario. What could be worse?

The legislative rush-job was prompted by a proposed initiative, the California Consumer Privacy Act, which got certified for the ballot on Monday. The initiative was sponsored by San Francisco real estate developer Alastair Mactaggart, who has no expertise in privacy law but enough money to fund his pet topics. He spent $3M getting the initiative qualified for the ballot and funding a support campaign. The initiative process in California has several known defects, including (1) the text is locked down, so there’s no way to improve the proposed text based on comments from other stakeholders (which the legislative process allows), and (2) extreme difficulty amending or repealing the law once approved by voters–effectively, it becomes frozen law that’s permanently out of the legislature’s purview. So if the initiative passes, the initiative’s worse language will become immutable–we’ll be stuck with its many defects potentially forever. By getting the initiative qualified, Mactaggart has leverage over the legislature. He can demand that the legislature pass a law like the initiative before the deadline to withdraw the initiative from the ballot (in which case he’ll withdraw), or the voters will potentially lock in the initiative language forever. The deadline to withdraw the initiative is tomorrow, so that’s what prompting the legislative fire drill.

Given dulled public sentiments towards the Internet giants, the desire of Californians for more privacy protection (especially from the government), and the initiative’s overwhelming complexity, defeating the initiative at the ballot box is no easy task. Opponents are estimating they will build a $100M warchest to fight the initiative, and even then, its defeat is not guaranteed. With the nuclear option of frozen text as an unbearable downside risk, the Internet giants will cave and support a legislative deal, which they can try to amend later, rather than gamble at the ballot box.

I trust you noticed how Mactaggart’s trick is infinitely repeatable by other millionaires. It usually costs about $1M to gather enough signatures to qualify an initiative for the ballot. Every wealthy person with a pet topic can spend that million, get the certification for the ballot, and then approach the legislature with the same deal: pass my law or we’ll put the issue to voters and bypass the legislature altogether (and potentially handcuff legislative power on this topic forevermore). This is one of the worst possible ways to set a legislative agenda. Among other major problems facing our country, we need to eliminate California’s initiative process to shut down this unwelcome workaround to our democratic institutions.

“Summary” of the Bill

It’s not possible for me to write my own summary of the bill in the time I have to write this blog post. First, the bill text keeps changing. Second, the bill is 10,000 words of dense legalese covering a wide array of different policy ideas–including brand-new rights for consumers to access their data, erase their data, and opt-out of data sales (and giving minors opt-in rights), plus making various changes to the data breach notification law. This is an omnibus law, making it impossible to summarize in soundbites. Instead, here is the Senate Judiciary Committee report’s 3,000 word “summary”:

___

This bill would establish the California Consumer Privacy Act of 2018 (the Act) to become operative on January 1, 2020, contingent on the privacy initiative being withdrawn from the ballot pursuant to Section 9604 of the Elections Code.

This bill would provide that a consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected. The obligation to provide such information is only triggered upon receipt of a verifiable consumer request and is limited to no more than twice per year. Such business would be required to inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

This bill would provide that a consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. Upon such a request, the business would be required to delete the information from its records and direct any service providers to do the same. This right to delete would need to be disclosed by businesses collecting personal information

This bill would provide that businesses are not required to delete information upon request where it is necessary for the business to maintain the consumer’s personal information for various purposes, including detecting security incidents; complying with a legal obligation; enabling solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; or otherwise using the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

This bill would provide that a consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer certain information, and the business shall disclose such information, including the following:
* the categories of personal information it has collected about that consumer;
* the categories of sources from which the personal information is collected;
* the business or commercial purpose for collecting or selling personal information;
* the categories of third parties with whom the business shares personal information; and
* the specific pieces of personal information it has collected about that consumer.

This bill would provide consumers the right to request a business that sells or discloses their personal information disclose the following:
* the categories of personal information that the business collected about the consumer;
* the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold; and
* the categories of personal information that the business disclosed about the consumer for a business purpose.

This bill would prohibit a third party from selling personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out. This bill would provide consumers a right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell that information. It would place a requirement on a business that sells consumers’ personal information to third parties to provide notice to consumers, as specified, that this information may be sold and that consumers have the right to opt out of such sales. Such businesses would be required to provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. For a consumer who has opted out of the sale of the consumer’s personal information, a business would be required to respect the consumer’s decision to opt out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.

This bill would also provide that minor’s [sic] must consent to the sale of their personal information before a business can sell it. It would further provide that a business shall not sell the personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale. A business that willfully disregards the consumer’s age would be deemed to have had actual knowledge of the consumer’s age.

This bill would prohibit discrimination against a consumer because the consumer exercised their rights under the bill. Such discrimination would include:
* denying goods or services to the consumer;
* charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
* providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title; and
* suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

This bill would provide that the above provision does not prohibit a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.

This bill would authorize businesses to offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business would be required to notify consumers of the financial incentives in such a case. A business would be permitted to enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent, which may be revoked by the consumer at any time. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data. A business would be prohibited from using financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature

This bill would set forth requirements for businesses to develop methods for consumers to exercise their rights under the Act, provide for procedures and timelines for complying with the Act’s requirements, and detail the methods for identifying consumers and associating information provided by them with information collected by the business.

This bill would also require businesses to disclose specified information in its online privacy policy, including a description of consumers’ rights, the methods for submitting requests, and lists of categories of information actually collected, sold, and disclosed by the business in the preceding year. Businesses would be required to inform the appropriate personnel of the requirements of the Act and how to facilitate consumers’ exercise of those rights.

This bill would provide definitions for the key terms used in the Act, including the following:
* “business” would mean specified, for-profit entities that collect personal information and that meet one of the following criteria: (1) annual gross revenues of over $25 million; (2) annually buys, receives, sells, or shares the personal information of at least 50,000 consumers, households, or devices; or (3) derives 50 percent or more of its annual revenue from selling such information;
* “collects” and similar terms would mean buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.
* “consumer” would mean a natural person who is a California resident;
* “personal information” would mean information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
– specified identifiers, both online and off, such as a real name, alias, address, unique personal identifier, Internet Protocol address, email address, and other identifying numbers;
– any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including signature, physical
characteristics or description, education, employment, employment history, or any other financial information, medical information, or health
insurance information;
– characteristics of protected classifications under California or federal law;
– commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
– biometric information;
– Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;
– geolocation data;
– audio, electronic, visual, thermal, olfactory, or similar information;
– inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes;
* “research” means scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’ service or device for other purposes must meet specified requirements;
* “sell,” “selling,” “sale,” or “sold,” would mean selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

This bill would make clear that the obligations imposed on businesses by the Act do not restrict a business’s ability to comply with the law or lawful orders; cooperate with law enforcement agencies concerning unlawful conduct or activity; exercise or defend legal claims; collect information that is deidentified or in the aggregate; or to collect or sell such information if the conduct takes place wholly outside of California. The obligations of the bill would not apply if they would violate evidentiary privileges.

This bill would also make clear that it does not apply to certain information collected by a covered entity governed by the Confidentiality of Medical Information Act or the Health Insurance Portability and Availability Act of 1996; information collected pursuant to the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act of 1994. It would also not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report.

This bill would provide certain timelines to respond to consumer requests with the ability to extend for specified reasons. If the business does not take action on the request of the consumer, the business would be required to inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business. The bill would also allow a business to charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive, in particular because of its repetitive character. A business would have to notify the consumer of the reason for refusing the request. The business would bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.

This bill would immunize a business that discloses personal information to a service provider if the service provider receiving the personal information uses it in violation of the Act, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider would likewise not be liable for the obligations of a business for which it provides services.

This bill would provide that any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure, as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action to recover damages in an amount between $100 and $750 per consumer per incident or actual damages, whichever is greater; for injunctive or declaratory relief; or any other relief the court deems proper. The court would be required to consider specified circumstances in setting the amount of the statutory damages.

This bill would provide that a consumer is authorized to bring such actions only if all of the following requirements are met:
* prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer shall provide a business 30 days’ written notice identifying the specific provisions the consumer alleges have been or are being violated. The business would have a 30-day right to cure, where possible. If cured and the business provides express written assurances that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.
* a consumer bringing an action must notify the Attorney General within 30 days that the action has been filed; and
* the Attorney General, upon receiving such notice shall, within 30 days, do one of the following:
– notify the consumer bringing the action of the Attorney General’s intent to prosecute an action against the violation. If the Attorney General does not
prosecute within six months, the consumer may proceed with the action;
– refrain from acting within the 30 days, allowing the consumer bringing the action to proceed; or
– notify the consumer bringing the action that the consumer shall not proceed with the action.

This bill would provide that any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the Act.

This bill would provide that a business is in violation of the Act if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be liable for a civil penalty as provided in Section 17206 of the Business and Professions Code in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section would be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. Intentional violations of the Act would be subject to a civil penalty of up to $7,500 for each violation.

This bill would provide guidelines for the disbursement of any penalties assessed or settlements secured, with 20 percent going to the Consumer Privacy Fund, newly created by this bill within the General Fund, with the intent to fully offset any costs incurred by the state courts and the Attorney General in connection with this title.

This bill would provide that wherever possible, laws relating to consumers’ personal information should be construed to harmonize with the provisions of the Act, but in the event of a conflict between other laws and the Act, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control. It would supersede and preempt all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.

This bill would also provide that on or before January 1, 2020, the Attorney General shall solicit broad public participation to adopt regulations to further the purposes of the Act.

This bill would provide that if a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of this title, including the disclosure of information by a business to a third party in order to avoid the definition of sell, a court shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of this title.

This bill would provide that any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable. This section shall not prevent a consumer from declining to request information from a business, declining to opt out of a business’ sale of the consumer’s personal information, or authorizing a business to sell the consumer’s personal information after previously opting out.

This bill would contain a severability clause.

Some Comments

Legions of academics could spend their entire careers grokking these provisions and debating the pros and cons of each. The California legislature will spend less than 168 hours doing that… and if I hope to get out this post in any time-effective way, I have mere minutes to highlight just a few issues:

Who’s Covered by the Law? Virtually Every Business. The initiative has largely been styled as anti-data brokerage, but the bill actually applies to any “business that collects a consumer’s personal information.” “Business,” “collects,” and “personal information” are all defined terms, but expansively. For example, as I’ll explain in a moment, the definition of “personal information” covers virtually all information in a company’s possession. So let’s assume for a moment that, on its face, this law applies to every business–online and off–that has consumers. We’re not talking only about Internet giants like Google and Facebook. We’re talking every retailer big and small: every gas station, grocery store, restaurant, bakery, local mom-and-pop shop, etc. We’re talking every professional service provider: every attorney, accountant, therapist, doctor, etc. We’re even talking about most manufacturers–certainly those that sell direct-to-consumers, but possibly even  those only transacting business-to-business.

The bill has extra obligations for businesses that “sell” consumer data, but again the definition is expansive (and the active subject of amendments) to include “disseminating” consumer data for “monetary or other valuable consideration.” The legislative report references the Cambridge Analytica scenario as one of the targets, but did Facebook “sell” the data to the Oxford researcher by allowing his access to Facebook’s API? There was no money exchanged, but every Internet company that sets up an API has a pretty clear quid-pro-quo of sharing the data to benefit its consumer base. Does that tacit quid-pro-quo constitute “valuable consideration”? If so, every Internet business with California ties and an API will be subject to the enhanced rules about data “sales,” even if no one would ever characterize the data transfers as a “sale.”

Acknowledging that it doesn’t intend to reach every California business, the bill sets up the following thresholds for applicability: a business must (1) have $25M+ in annual revenue, OR (2) derive 50%+ of its revenues from selling consumer data, OR (3) “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” So any business with 50,000 annual consumers–an average of 137/day–is almost certainly governed by this law, and that includes many mom-and-pop retailers and other small businesses. If I were to make only one edit to this bill, I’d change this section to add at least one zero to the $25M and 50k thresholds.

As an illustration of its broad reach, is my blog covered by the bill? I get 50k+ visitors/year, my analytics package picks up their IP addresses, and I get about $400/year from Google AdSense. Based on the bill’s expansive definition of “commercial purposes” (which seemingly includes ad revenue), I might be covered. If the bill passes and I’m covered, I would likely shut off Google ads to avoid complying with the law.

Definition of “Personal Information.” The bill regulates the collection and sale of “personal information.” However, it’s well-known in privacy circles that the distinction between “personally identifiable” and “non-personally identifiable” information is incoherent and nonsensical. Virtually any information about a person–even something as generic as “has brown hair”–can help uniquely identify a person when combined with enough other data. So there’s no meaningful distinction between personally identifiable and non-personally identifiable information, and any law attempting to make the distinction will be over- or under-inclusive. This statute falls on the massively over-inclusive side: it defines personal information as “information that….is capable of being associated with…a particular consumer or household.” Because of the data combination/reidentification effect, virtually all information a company possesses has this capacity and is thus regulated by the bill. This defect pervades every aspect of the law and makes much of it nonsensical. For example, if virtually every scrap of data could assist reidentification, what does it mean for a business to reveal all “personal information” it has about a user or give the user the option to delete the data? If I had a second option to edit the bill, I would limit the definition of “personal information” to a very small list of specific items. That list would be under-inclusive, but it would better than the ridiculously overbroad definition used here that sweeps in every aspect of every business’ activity.

Global Reach. The bill applies to businesses doing business in California. What does that mean for Internet companies? With so many Internet companies located in California, and many others arguably “doing business” here even if they don’t have people or property in the state, this bill touches virtually every Internet company you’ve heard of and many you haven’t. Furthermore, because of the hassle and expense of building state-by-state consumer flows, this law will likely change their behavior for both California and non-California users. This is called “the California Effect” because California–as the 5th largest economy in the world–can have market-moving effects to change global standards. It’s one of the reasons why I categorically oppose all efforts to impose online privacy laws at the state level, because a state’s regulation of Internet activity will undoubtedly inpact many people wholly outside the state (despite this bill’s stated limit not to reach “commercial conduct [that] takes place wholly outside of California”). I’m sure the bill drafters view that extraterritorial reach as a feature, not a bug. In my opinion, the extraterritorial impact should trigger the Dormant Commerce Clause.

How Much Will This Cost? (part 1) Regulated companies–i.e., virtually every business in California–will need to spend money on compliance, including building new processes to deal with the various consumer requests/demands. Adding up all of the expenditures across the California economy, how much will this cost our society? It’s not like these expenditures come from some magic pot of money; the costs will be indirectly passed to consumers. Are consumers getting a good deal for these required expenditures?

How Much Will This Cost? (part 2) Lengthy statutes seem like they are detailed enough to eliminate ambiguity, but it actually works in reverse. The longer the statutes, the more words for litigators to fight over. This law would give us 10,000 different bases for lawsuits. One of the current tussles between the initiative and the bill is whether there is a private right of action. Right now, the bill attempts to limit the private causes of action to certain data breaches. If the private right of action expands beyond that, SEND YOUR KIDS TO LAW SCHOOL.

How Much Will This Cost? (part 3) The bill would create a new “Consumer Privacy Fund,” funded by a 20% take on data breach enforcement awards, to offset enforcement costs and judiciary costs. Yay for the bill drafters recognizing the government administration costs of a major new law like this. Usually, bill drafters assume a new law’s enforcement costs can be buried in existing budgets, but here, the bill drafters are (likely correctly) gearing up for litigation fiestas. But exactly how much will these administration costs be, and will this new fund be sufficient or have we written a blank check from the government coffers to fund enforcement? Most likely, I expect the Consumer Privacy Fund will spur enforcement, i.e., enforcement actions will be brought to replenish the fund to ensure it has enough money to pay the enforcers’ salaries–a perpetual motion machine.

Mandatory Disclosures. I understand and sympathetic to criticisms of the prevailing notice-and-choice model of privacy regulation. If the model works, consumers need enough information to make good choices, and businesses aren’t always forthcoming. Still, privacy laws often overshoot this target through empirically unsupported paternalistic views of what consumers should care about. Thus, government mandated disclosures rarely succeed because it’s hard to anticipate what information that consumers actually want or value; and making mandated disclosures noisier (and thus harder to miss) displaces consumer attention from other priorities and causes “banner blindness” where consumers grow increasingly indifferent to ever-noisier disclosures.

The bill commits both sins of mandating disclosures consumers may not want, and making them noisier. For example, the bill requires “a clear and conspicuous link on the business’ Internet homepage, titled “’Do Not Sell My Personal Information.'” Between this and the EU-mandated cookie warning, will there be any room on a service’s home page for the content the consumers actually came to find?

Definition of “Reasonable Security Practices.” The bill would create a private cause of action in certain data security breaches where the company failed to deploy “reasonable security practices.” As everyone knows, there is no standard for what constitutes “reasonable security practices,” and a similar legal standard led to an embarrassing FTC loss in the LabMD case. How will reasonable security practices be defined, and by whom? If it’s going to be defined by plaintiffs’ lawyers through seriatim lawsuits, SEND YOUR KIDS TO LAW SCHOOL.

Which Parts are Constitutional? One of the reasons why the US cannot adopt the GDRP wholesale is that several GDPR provisions would likely violate the First Amendment. This bill doesn’t reach as broadly, but it does implicate the First Amendment in numerous ways, including the mandatory disclosures and the regulation of data transfers. I don’t have the time to do a comprehensive Constitutional analysis, but note that Sorrell v. IMS struck down Vermont’s data brokering law as unconstitutional, and I’m not sure if this law avoids Sorrell’s traps. Whether enacted as an initiative or a bill, I expect the law will be tied up in Constitutional litigation for a while.

I’m not an administrative law expert, but there are some unusual provisions that left me head-scratching about their legality, including:

* an odd provision that attempts to share enforcement authority between the AG office and private litigants. Among other things, it gives the AG veto rights over consumer litigation. I’m not an expert on such things, but can a legislature do that?

* the bill delegates rule-making authority to the state AG. Can the legislature do that, and what deference will the resulting regulations get?

* the creation of the Consumer Privacy Fund.

Drafting Defects. Not unlike Facebook’s old motto, when legislatures move fast, they break things. I’m sure we’ll be finding drafting quirks and mistakes for years. Just one example: One of the bill’s oddest and most-likely-to-be-misunderstood provisions attempts to restrict privacy-based price discrimination. I’m not sure if the initiative drafters intended to ban all personalized pricing or just pay-for-the-bill’s-privacy-options, but this provision is being amended in the bill and that’s creating errors. Here’s the comment from the Senate Judiciary Report:

Section 1798.125, where these anti-discrimination and incentive provisions reside, is internally inconsistent to a certain extent. It specifically prohibits “charging different prices or rates for goods or services.” But, it also specifically authorizes in the following paragraph “charging a consumer a different price or rate.” The same tension exists for “providing a different level or quality of goods or services.” This is problematic in and of itself because it is vague as to exactly how a business can treat a consumer based solely on whether they have exercised their rights pursuant to the Act. Worse, these provisions could be read as an endorsement of pay-for-privacy type practices.

These are easy enough to fix. But it makes me wonder how many drafting defects have crept into this process?

Will Congress Step In? When California passed a completely unworkable anti-spam law requiring opt-ins, Congress stepped in and passed CAN-SPAM to preempt it. Congress has even more process problems than the California legislature, so the odds of anything sensible getting through Congress seems remote. Still, given the stakes at issue with this law, the bill could move the action to Congress for a potentially preemptive federal law, with uncertain results.

* * *

I hate doing an incomplete job grokking such an important law, but I decided it’s better to speak now, even incompletely. As the maxim goes, legislate in haste, repent at leisure. We’ll have plenty of time to bemoan and shake our heads about the problems with this law after tomorrow.