Tell Congress to Use the CRA to Save Net NeutralityLearn More About the CRA
At the end of June, California enacted what has been billed as a comprehensive privacy law. By all accounts, it was a rush job, negotiated in a week behind closed doors in a desperate and successful attempt to keep Californians for Consumer Privacy Campaign Chairman Alaistair MacTaggart’s privacy initiative off the November ballot. As sometimes happens, the law’s proponents and a few reporters may have overhyped the legislation – both given its current contents and because many expect it to change before its effective date in January 2020.
Nonetheless, lawmakers in Congress and in states beyond California may be looking to the new law for ideas. Those doing so should take the law as it stands with a grain of salt. Even before the ink dried on the law, stakeholders were promised additional legislation amending the law, and the California Attorney General (AG) is required to promulgate rules enacting the details of the law in 2020. Plus, it’s impossible to know what exactly a law will do until it goes into effect and is litigated. But, this blog takes a deep dive into the law and outlines some of the provisions policymakers should keep in mind as they consider which parts of the California law to export:
Room for Improvement:
1) Notice Only: The California law requires businesses to notify Californians, “at or before the point of collection,” of “the categories of personal information to be collected and the purposes for which the categories of personal information” will be used. While transparency is a step in the right direction, this language seems to allow businesses to collect whatever personal information they wish to and use it for whatever purposes they wish – provided they tell you, the consumer, that they are doing it. You do not have the ability to limit data collection or use (although you can require a business to delete your data after the fact – subject to certain limitations – and you can stop a business from selling your data – see further discussion below). This is considerably less protective of consumers than most of the federal proposals on the table. In fact, even the most modest federal bill would allow consumers to limit the collection and use of their personal information.
There is also no reason to believe that this notification requirement, in and of itself, would in any way change current business practices. Businesses already disclose the categories of information they collect and what they use it for in their terms of service – because they are afraid that the Federal Trade Commission (FTC) will come after them under the Agency’s deceptiveness authority if they don’t. Of course, it would take 76 work days to read all of the privacy policies we encounter in a year, so very few people read those disclosures. Nothing about the California law would change that.
2) Opt-Out for Selling Personal Information: The California law permits (adult) consumers to opt out of the sale of their personal information. This is a step in the right direction, but there are two problems. First, it applies only to the sale of personal information. Now, sale is defined slightly more broadly than it is in the conventional sense, but the definition would not reach the dissemination of personal information when no value is received in exchange – e.g. where data are donated for research purposes. It also would not reach advertising practices used by Facebook and other platforms where the personal information itself is not conveyed to the advertiser, but rather the advertiser gives the platform the demographics it wishes to reach, and the platform places the ad by looking at its data itself.
Moreover, the opt-out regime itself is problematic. Too often the default is destiny; most people never change default settings. This means a lot more personal information will be sold under the opt-out regime than would be under an opt-in regime. The problem here? Our personal information is just that – personal. We should be in the position to decide whether it is sold and to whom. (Note: the law does require opt-in consent for the sale of personal information when the Californian is under age 16.)
3) Pay for Privacy: The new law includes a provision that appears at first blush to stop businesses from discriminating against consumers who have asked for their data or prohibited the sale of their data. But, it includes carve-outs that allow businesses to charge different rates, provide different qualities of service, or offer financial incentives to consumers to share or permit the sale of their personal information, so long as the prices or differences are related “to the value provided to the consumer by the consumer’s data.” These exceptions are poorly drafted and include conflicting standards, but most readers agree that they permit a business to require you to pay for the value of your data – i.e. to pay for your privacy.
Public Knowledge does not oppose pay-for-privacy in all circumstances; however, the inclusion of pay-for-privacy raises some concerns. On the one hand, the ability to exchange some information for something of value is consistent with the philosophical proposition that you own your own data. On the other hand, it may make privacy a luxury good, available only to those who can afford to pay for it, running the very real risk of further marginalizing the most marginalized. This risk is especially high in situations that have traditionally been regarded as coercive to consumers, such as “take it or leave it” offers or where essential services are involved. Additionally, Public Knowledge has urged that even where a person consents to the collection and use of personal information, that person should retain an ongoing right to withdraw consent. The California law does not clearly contain such safeguards or a clear right to withdraw consent; this clause requires significant improvement in future legislation or regulations or the carve outs should be removed entirely.
1) Data Portability: The California law requires data portability, giving Californians the right to request “the categories and specific pieces of personal information the business has collected.” Businesses that receive a “verifiable” request must provide the requested information to the consumer within 45 days, with extensions allowed. This promotes competition and consumer choice by allowing consumers to take their information to competing services or websites.
If a business provides the personal information electronically, the information must be in a machine-readable format. But, the business is also permitted to provide the information in paper copy, which would make it infinitely less portable.
Moreover, businesses are only required to disclose personal information from the previous 12 months. When many consumers have multi-year relationships with businesses, this would only require the return of a fraction of their personal information.
2) Right to Be Forgotten: The California law contains an Americanized version of the Right to Be Forgotten, although the law’s deletion right only applies to information the consumer herself has provided to the business. Unlike its European counterpart, the California version has a carve-out to ensure that others are able to exercise their First Amendment right to access information.
Unfortunately, the First Amendment carve-out is only one of nine exceptions to the deletion requirement. Three of the other exceptions, which pertain to the maintenance of information that is “reasonably anticipated” by consumers or “reasonably aligned” with consumer expectations of their relationship with the business or “compatible with the context in which the consumer provided the information” would probably exempt certain platforms from having to fully delete any consumer data ever. After all, aren’t an advertisement-supported platform’s business relationship with the consumer and the consumer’s expectation of that business relationship both that the platform will gobble up all of her information?
3) Applicability: California’s law applies to all businesses that meet certain thresholds. The good is that the law does not differentiate between online businesses and brick-and-mortar businesses that collect consumer information through loyalty cards or other mechanisms. The bad is that it applies only to businesses and not to nonprofits or other non-business entities that collect consumer data. It is also unclear whether the statutory thresholds are the right thresholds.
4) Private Right of Action: The California law contains a private right of action for data breach, and that private right comes with liquidated damages. Unfortunately, the circumstances where the private right would apply are vanishingly small. Indeed, Californians can only take advantage of the private right when a very short list of non-encrypted or non-redacted identification information and account numbers are exfiltrated, stolen, or disclosed. This is a much smaller subset of the personal information that is purported to be protected by the rest of the California law and perpetuates the antiquated sensitive/non-sensitive distinction in U.S. privacy law. And, if the personal information was inadequately encrypted or redacted, it seems that the private right does not apply at all. Rather, companies with inadequate security practices are given a free pass. In fact, the amendment history for the law makes clear that this provision was meant to limit the private right as much as possible.
The law also allows the California AG broad authority to halt consumer lawsuits, even when the AG refuses to take up the case.
The law’s notice and opt-out requirements are enforceable only by the state AG, who can bring an action for civil penalties. Those penalties cap out at $7,500 per violation.
1) Ban on Tertiary Sale of Personal Data: The new law prohibits businesses that have purchased Californians’ personal information from selling it to another party without notifying the individual consumer and giving him/her the opportunity to opt-out. While opt-in consent would be stronger, this could put a dent in the resale marketplace for personal information and help Californians better keep tabs on who has information about them.
2) You Don’t Have to Have an Account to Take Advantage of California’s Privacy Law: Given the proliferation of integrated social media “like” and “share” buttons – basically third party trackers – across the internet, one of the trickiest issues facing lawmakers seeking to legislate privacy in the digital age is how to address the privacy of individuals who have never opted in to having a relationship with a business by creating an account. The California law tackles this problem by mandating that consumers be permitted to request their personal information from a business and prohibit the sale of their personal information without creating an account with the business.
3) Making It Easy to Opt Out: While it would be better to require opt-in consent, at least the California law requires that the link to opt out of personal information sale be “clear and conspicuous” and use the standard language, “Do Not Sell My Personal Information.” The law further requires the state AG to develop “a recognizable and uniform opt-out logo or button.” Having a consistent logo across websites will make it easier for Californians to vindicate their opt-out rights – they will know what to look for and won’t have to poke around for a different logo on each website.
4) Eliminating the Sensitive/Non-Sensitive Distinction: California’s law seems to eliminate, at least for the notice and opt-out requirements, the sensitive/non-sensitive distinction that has been present in many privacy laws and bills in the past. This distinction, which grants greater protection to purportedly sensitive information, like first and last name, social security numbers, bank account numbers, than to so-called non-sensitive information, is increasingly illogical in today’s world. Indeed, under the old world order, the personal information in question in Facebook/Cambridge Analytica – information like social media “likes” that may be useful for influencing an individual in the voting booth, as well as for more mundane marketing and advertising purposes, and that, when aggregated, may, in fact, be personally identifiable – would not be considered sensitive and would not be protected. The California law does away with this archaic distinction by simply defining “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The law does include an illustrative, non-exhaustive list of personal information, and, helpfully, that list includes “[i]nferences drawn” about a consumer.
The law also orders the state AG to promulgate regulations adding categories of information to the enumerated list in order to ensure that the law keeps pace with technology. But some readers have felt that the inclusion of a list raises the question of whether the law in fact does away with the sensitive/non-sensitive distinction.
The California law adopts some other useful definitions and concepts from the EU’s General Data Protection Regulation. For example, the law clarifies that in order to qualify as “deidentified” information, the business that maintains the information must have implemented technical safeguards, as well as business practices and processes, to prohibit reidentification.
5) Preventing Work-Arounds: California’s law helpfully voids any contract that purports to sign away consumers’ rights under the law and also includes language making clear that if a company takes a bunch of convoluted steps with personal information in order to evade the law’s requirements, a court enforcing the law must ignore the convoluted steps.
All Americans deserve privacy protection. There are a few ideas federal lawmakers (and other state lawmakers) might want to crib from California, but federal policy makers should set a higher floor for federal protections. It sounds like California’s lawmakers will be reopening this law again before it goes into effect in two years. They should use the opportunity to strengthen its consumer protections.
Image credit: Flickr user opensourceway