Recent Developments Regarding the California Consumer Privacy Act

August 16, 2018 · by Eric Goldman · in Privacy/Security

This post recaps some recent developments related to the California Consumer Privacy Act (which I’m still calling CCPA despite the IAPP’s effort to brand it CaCPA).

The Technical Amendments Bill

The technical amendments bill is SB 1121. The bill would do things like change “act” to “title,” “opt out” to “opt-out” and “business'” to “business’s,” so that should give you some sense of its value. For reasons that aren’t clear, the technical amendments bill misses dozens of obvious and outright errors, including most of the ones I flagged in my prior post. Some of the more noteworthy changes:

It would strike the surplusage after 1798.100(e).
It would add: “The rights afforded to consumers and the obligations imposed on any business under this title shall not be construed to infringe on the business’s speech rights that state or federal courts have recognized as noncommercial speech, including political speech and journalism.” I think this activity isn’t covered by the statute anyway, but the fear behind this insertion shows the massive and unpredicted reach of the law.
It would expressly specify that the private cause of action only applies to data breaches (more on this below).

Overall, this bill is better than nothing, but it represents less than 1% of the obviously needed changes to the bill. I’m hoping more changes will be folded in before passage.

Coalition Letter

A large coalition of business groups wrote a 20 single-spaced page letter to the California legislature about the law. The letter makes the following 23 requests (and more):

delay implementation until 12 months after the AG’s rule-making. This is a very sensible request because the AG’s rules could be quite complex and wide-ranging, and it will potentially take substantial time for businesses to accommodate the regulations. We recently saw a lot of avoidable angst with last minute “guidance” for both the GDPR and COPPA, and a 12 month window would reduce that angst.
strengthen the preemption of any local privacy laws
narrow the definition of “consumer” to exclude employees, contractors, and business contacts. The letter gives a great example that theoretically, thelaw currently permits an employee to demand expungement of evidence of sexual harassment from company records.
narrow the definition of “personal information” to information “linked or reasonably linkable” to a particular consumer; exclude references to household, devices, and family; explicitly exclude deidentified, aggregate, and pseudonymized consumer information; and strip out numerous specific items in the definition (including, for example, the references to “thermal” and “olfactory” information). They also propose cleaning up the garbled discussion about “publicly available” information. All of these changes are good, but I expect this will be a hotly contested topic.
expand the scope of “deidentified” information.
clarify that businesses won’t be required to keep information longer than they want. This is an interesting reading of the statute–that they think some language in the law counterproductively mandates data retention.
remove the obligation to disclose “specific pieces” of information back to consumers. This request would negate data portability.
limit the restrictions on price discrimination. I believe these changes are designed to gut it sub silento. Even that may not go far enough. Honestly, the whole price discrimination provisions should be expressly put in the dumpster fire depicted above.
allow targeted advertising if the advertiser doesn’t get any personal information. The letter claims it was never the privacy proponents’ intent to restrict targeted ads, but that doesn’t sound credible to me.
allow consumers to choose middle-ground opt-outs of data sales, not just all or nothing.
categorically limit the law’s applicability to businesses’ efforts to “prevent or detect identity theft, fraud, other criminal activity, or verify identities,” and allow data sales for those purposes. This is a pretty substantial loophole.
expand the statutory exclusion for compliance with other laws to include “the ability of a business contracted to collect, use, or provide personal information in order to assist another business or a government agency to comply,” and tone down the language that yields only in the face of “conflicts” with other laws. The last two bullets seem to be driven by the banks. However, the letter also makes a good point about HIPAA, which regulates both “covered entities” and “business associates” but only excludes HIPAA’s provisions on “covered entities.” (Oops).
limit any obligations that require businesses to “divulge information that the business reasonably believes would jeopardize the security of the business or public safety.” Another pretty big loophole.
strike language about a business’ willfulness towards a user’s age. This is in the same paragraph where the statute has the defect about 13 yr olds vs. 16 yr olds, but remarkably the letter doesn’t address it.
negate strict liability for data sales by third parties who haven’t gotten notice of the consumer’s opt-out.
allow businesses to ask consumers to opt-back-into data sales more frequently than 12 months if the consumer deletes his/her data. This is a logical request because the business doesn’t have a way to know these folks opted-out (they deleted their data), but there’s still a bit of irony here.
give businesses up to 45 days to honor opt-out requests. CAN-SPAM says 10 business days, and even that seems pretty long in the modern age (at least for large companies), so 45 days appears to be an inflated number for negotiating purposes.
remove all references to data portability. The letter claims the proponents had already agreed to this. Color me skeptical about that claim.
remove the requirement to have a toll-free number for opt-outs and provide more flexible options for the opt-out.
narrow the definition of “home page” so it’s not every web page. Good one–I missed this pretty bad drafting error!
remove the prohibition on requiring consumers to register in order to opt-out. This punts the issue to the AG rule-making.
make it clearer that the private right of action only applies to data breaches, not other parts of the law. I believe everyone has agreed to this. The technical amendments bill has a sentence reflecting this objective, but it’s not exactly the language requested by the coalition.
clarify that data breaches only apply to “nonencrypted and nonredacted personal information,” not “or.”

Public interest groups wrote their own letter contesting these requests, especially noting their disagreement about the data portability issue. They did propose some technical corrections:

The 13 yr old/16 yr old issue, which they propose to read “between 13 and 15”
Companies should not have to collect additional info to comply with the law
They agree with the “nonencrypted and nonredacted personal information” correction
Some clarification of “deidentified” information.

EFF’s Proposals

This is one of the first times I’ll publicly disagree with the EFF, but I completely disagree with their statement that “There’s a lot to like about the Act.” It reminds me of the line from the Princess Bride: “I wonder if he is using the same wind we are using?” Are they reading the same text I’m reading? The EFF’s proposed changes include the following:

Change the default from allowing data collection to requiring consumer opt-in.
Allow more granular disclosures of information collected about consumers.
Address data portability when multiple people are identifiable from the same content item (such as a photo of two people) and one of the folks has restricted content visibility.
Require consumer opt-in before companies share consumer data, even if the sharing isn’t financially motivated.
Tighten up the price non-discrimination provisions. As I mentioned, they should be deleted, not strengthened.
Create a private cause of action for breaches of the entire statute, not just data breaches

I vigorously and completely oppose ALL of these proposals. I still love the EFF and support it as a paying member (and I encourage you to do the same).

The New York Times Magazine Article: “The Unlikely Activists Who Took On Silicon Valley — and Won“

Anyone who still portrays this law as targeting “Silicon Valley” or the “technology community” or “Google/Facebook” is an idiot. It will hurt taco stands in Calexico more than it will hurt Google or Facebook. The entire article is framed this way, making me wonder if the reporter ever actually read the law or understands it even today.

This article is the fawning and unquestioning history of the law we all knew was coming. Mactaggart and Ashkan Soltani get the most love. I thought this line was telling: “Mactaggart and Soltani imagined their rules to be comparatively light-touch.” This law is a privacy bomb being dropped on the California economy, so viewing it as “light touch” is a good indicator of their echo-chamber!

In particular, the article doesn’t question the initiative procedure as the route to passage, treating it more as a good thing than a hack on democracy. For example, the article says “It began to dawn on at least some people that Mactaggart’s vote might be the most important one.” This isn’t a good thing for democracy, is it? Or this line: “Soltani wryly pointed out that Mactaggart had offered Silicon Valley a take-it-or-leave-it privacy policy — the same kind that Silicon Valley usually offered everyone else.” If you’re a privacy advocate, this is a cute irony. If you’re a fan of democracy, this is chilling.

Here’s another good example of the article’s unquestioning discussion about the law’s overreach: “‘Under this law, the attorney general of California will become the chief privacy officer of the United States of America,’ Mactaggart argued.” I wonder how voters in the 49 other states feel about that?

The article doesn’t answer the most important question: why does the drafting differ so much from the GDPR? It simply says “Mactaggart was wary of proposing a sweeping law like the European Union’s General Data Protection Regulation, or G.D.P.R., fearing that Californians would find it mystifying and reject it.” Perhaps that’s true, but the deviation imposes enormous extra costs on California businesses for no clear benefit.

The article also doesn’t explain who outside of the echo chamber reviewed and commented on the bill text before it was submitted as an initiative. One possible explanation is that no skeptic actually commented on the initiative text before it was finalized. That would explain a lot of the obvious drafting problems.

UPDATE: Kash Hill thinks Mary Stone Ross deserves some of the credit/blame for this bomb.

More Suggestions for Corrections/Changes

In a prior post, I laid out dozens of typos and ambiguities. I’ve collected a few more since then:

In light of the overlap, the legislature should repeal the private right of action in the existing data breach law in 1798.80.
Similarly, the legislature should repeal the existing Shine the Law law (1798.83 and associated sections) due to the overlap and inconsistencies.
The term “health insurance information” is defined but never used.
I quote this next issue/correction from an email sent to me by David Navetta:

The statute says (emphasis added):

(2) For purposes of this title, a business does not sell personal information when…

(D) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business provided that information is used or shared consistently with Sections 1798.110 and 1798.115. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

We may have an ambiguity and a timing issue here. Generally, this section is trying to say that the disclosure of personal information a business holds when it is bought by another business is not a “sale” (and therefore a consumer could not opt out of it). However, that is the case only if the personal information is “used or shared consistently with Sections 1798.110 and 1798.115.” The carve out then goes into some details concerning third parties and personal data uses beyond what was contemplated at the time of collection.

As to the ambiguity, Sections 1798.110 and 1798.115 do not, in large part, substantively address how a business may use or share information. Rather, sections 1798.110 and 1798.115 address how a business must disclose information to a consumer in response to a request (to exercise their rights). Section 1798.115 is the only section that discusses use and sharing of personal information, and it does so in a very narrow fashion. It states that businesses are allowed to use a consumer’s personal information to respond to the request; and it also prohibits a third-party from selling personal information absent notice and the consumer’s right to opt-out of such sale, id. at § 1798.115(d). Therefore, it is not clear how a third party can use or share information consistently with Section 1798.110 at all, and for 1798.115 it appears that the only issue is to refrain from selling personal information without an opt-out.

As to timing, when a sale of a business is consummated how will the target company know what the buyer plans to do with the personal information in the future? Does the target have to get some sort of assurance that the buyer will only use and share the information in a manner consistent with 1798.110 and 1798.115? And if it does not may a consumer opt out of the disclosure (because it becomes a “sale”?).

By the way, the language that details what a third party must do to materially alter how it uses or shares personal information, appears to contradict the outright prohibition I’ve highlighted in bold.

* * *

Recent Developments Regarding the California Consumer Privacy Act

Comments and Pings

One Pingback/Trackback