On September 23, 2018, Governor Jerry Brown signed into law SB-1121, a bill that makes several amendments to the California Consumer Privacy Act (CCPA or the Act). The controversial privacy law, which is set to take effect in 2020, recently sparked a war of words among industry, privacy advocates, and the California Attorney General, each of whom sent letters to the California legislature urging amendments to the legislation. The California Chamber of Commerce, along with 36 business coalitions (Industry), submitted a letter to California Senator Bill Dodd in August, calling the Act “unworkable,” urging both technical and substantive cleanup of the Act, and introducing 21 proposed amendments. A coalition of 20 consumer privacy advocate groups (Advocates) responded with their own letter, highlighting the negative consequences Industry’s proposed changes would have on consumer rights.
The Industry and Consumer Advocates did not wholly disagree. Both coalitions urge the legislature to make technical fixes, such as clarification that businesses do not have to collect extra information to comply with the Act, as well as clarification of the definition of de-identified information. The California Attorney General also weighed in with comments, requesting specific amendments and additional time to issue regulations. In response to the input from these various stakeholders, the legislature amended the Act on August 31, 2018 and sent it to the Governor’s desk. This article sets forth the principal issues discussed in the letters and the legislature’s response.
Limiting the Definition of Personal Information
Among the most notable aspects of the CCPA is its broad definition of “personal information.” It is defined under the Act as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes, but is not limited to, “IP address, biometric information, internet or other electronic network information, geolocation, audio, electronic, visual, thermal, professional or employment-related information, education information, ‘characteristics of protected classifications under California or federal law,’ and inferences drawn from [any other personal information] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
Industry position. The Industry letter argued that the Act’s definition of personal information is “so sweeping as to be meaningless,” as “[e]very piece of data could in theory be randomly ‘associated with an individual.’” It urged the legislature to make the definition of personal information consistent with the notion of an identifiable person and, specifically, to:
- Clarify that personal information is limited to information “linked or reasonably linkable” to a particular consumer.
- Remove references to household, devices, and family, to prevent situations like an abusive spouse or roommate accessing the personal information of another member of the household.
- Clarify that the list of examples of personal information in the CCPA constitutes a non-exhaustive list of information that may be, but are not always, personal information.
- Remove “probabilistic identifiers” from the definition of “unique personal identifier,” because probabilistic identifiers are imprecise and cannot on their own identify an individual.
- Remove references to inferences and tendencies.
- Remove references to professional or employment-related information, as the concept is so broad that it may be read to confer rights to employees vis-a-vis their employers with respect to personnel records.
- Explicitly exclude de-identified, aggregate, and pseudonymized consumer information.
Advocate position. In response, the Advocates stated that the broad definition of personal information is consistent with California law. The Advocates also contested the removal of “probabilistic identifiers,” which, they note, are used every day by many industries to create dossiers on individuals based on data gathered from devices, TVs, and gaming platforms.
Outcome. The legislature updated the definition of “personal information” to make clear that identifiers and data falling into the specific categories are not considered “personal information” unless and to the extent they can be linked to a particular consumer or household. The legislature otherwise left the definition unchanged.
Clarifying the HIPAA Exemption to Include Business Associates
The CCPA includes an exemption for protected health information (PHI) collected by “covered entities” under HIPAA. HIPAA, however, applies more broadly to health information collected by “covered entities” as well as “business associates.”
Industry position. The Industry letter asserted that the CCPA authors clearly intended to include a full HIPAA exemption and inadvertently excluded business associates. The letter argued that the “strong consumer protections” already afforded consumers under HIPAA warrant a full exemption under the Act.
Advocate position. The Advocates disagreed that HIPAA provides sufficient protection for health information, arguing that the legislature should not expand the existing HIPAA exemption.
Outcome. The legislature amended the Act to add an exemption for all HIPAA-covered entities, including business associates, and added an exemption for information collected as part of clinical trials subject to the Federal Policy for the Protection of Human Subjects. Relatedly, the legislature also clarified that data regulated under the Gramm-Leach Bliley Act (GLBA) and the Driver’s Privacy Protection Act (DPPA) are exempt from CCPA requirements, regardless of whether the CCPA conflicts with these laws.
Preserving the Right to Request “Specific Pieces” of Personal Information
The CCPA grants consumers the right to request both the “specific pieces” and the “categories” of personal information collected about the consumer.
Industry position. The Industry letter attacked the Act’s lack of clarity regarding what constitutes “specific pieces” of personal information, as opposed to a “category.” The letter noted that because businesses may collect sensitive information from consumers, such as Social Security numbers, allowing consumers to request this information creates heightened risk for businesses and exposes consumers to the risk of inadvertent disclosure to a fraudster posing as the consumer. The Industry contended that this will require businesses to inventory each individual piece of information in order to identify whether it is considered personal information, a burden the Industry characterized as unworkable. Retaining personalized records to provide consumers with specific pieces of information would undermine privacy, the Industry wrote, noting that businesses typically maintain consumer information in a form that does not directly link data to an individual consumer. The Industry argued that providing consumers with specific information would require businesses to link otherwise unlinked data, thereby undermining the purpose of the Act and failing to provide consumers with any more transparency than that already granted by the CCPA. The Industry therefore recommended narrowing the access right of consumers by striking any references to “specific information.”
Advocates position. In response, the Advocates maintained that the access right was deliberately expanded, such that consumers would now be able to request the specific elements a business collected about them, as opposed to mere categories of information collected. Though an expanded access right imposes an additional burden on businesses, the Advocates argued that global businesses already offer this broad access right to European customers, as required by GDPR, and they would merely need to extend this right to Californians. The Advocates also contended that removing the right to receive specific information would have the effect of removing the Act’s data portability right.
Outcome. The legislature declined to amend this aspect of the Act at this time. Barring any future amendments, companies covered by the Act will be required make specific pieces of personal information collected available to consumers.
Preserving the Requirement that Data be Provided in a Readily Useable Format
Similar to the GDPR, the CCPA provides the right to data portability, which requires businesses to deliver consumers’ personal data, free of charge, in a readable, technically feasible format, such that a consumer can transfer the information from one entity to another “without hindrance.”
Industry position. The Industry letter stated that “vestiges of the portability right were mistakenly included” in the Act, and that a portability mandate will be “impossible for most businesses to achieve operationally.” The Industry argued that compliance will be especially difficult due to the Act’s broad definition of personal data, and that a data portability right presents the same security risk as a broad right of access – that bad actors will use this right as a vehicle for identity theft.
Advocate position. In response, the Advocates stated that removing this right will lock consumers into services which they may no longer desire.
Outcome. The legislature declined to alter the data portability right in the Act. Unless amended prior to the Act becoming effective, companies will need to deliver consumers’ personal data, free of charge, in a technically feasible format.
Preserving the Standard for Knowledge that a Business has Information of a Minor
Under the CCPA, a business cannot sell the personal information of a consumer without opt-in consent if the business has “actual knowledge” that the consumer is under 16 years of age. The CCPA clarifies that a business that “willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.”
Industry position. The Industry letter suggested the “willful disregard” and “actual knowledge” standards were inconsistent and urged the legislature to revise the definition.
Advocates position. The Advocates argued that removing “willful disregard” from the definition of “actual knowledge” would substantially weaken “explicitly chosen protections for the most vulnerable among us,” leading to more surveillance on children and families.
Outcome. The legislature declined to amend the Act to address this point. Barring any future amendments, businesses covered by the Act will need to obtain consent to sell information of individuals that they have actual knowledge are under 16. They will be on the hook if they willfully disregard users’ ages.
Preserving the Scope of Opt-Outs
The CCPA requires businesses to respect a consumer’s decision to opt out from the sale of their personal information for at least 12 months before requesting the consumer’s authorization of such a sale.
Industry position. The Industry letter argued that if a consumer exercises their right to opt out with one part of a business, that unit must share its information with the rest of the business in order to communicate that the consumer opted out, thereby reducing privacy for the consumer. Thus, Industry suggested limiting the 12-month hiatus to the business unit that received the request, rather than applying it to the entire business.
Advocates position. The Advocates disagreed, arguing that this limitation would render the opt-out meaningless by making it needlessly difficult for a consumer to opt out.
Outcome. The legislature declined to amend the Act to address this point, leaving the opt-out provision unchanged.
California Attorney General Letter
The California Attorney General’s Office (AGO), which will have rulemaking and enforcement authority under the Act, submitted its own letter to the legislature, setting forth five primary concerns with the Act:
- Requiring the AGO to provide legal counsel at taxpayers’ expense to all inquiring businesses creates the unprecedented obligation of using public funds to provide unlimited legal advice to private parties. This presents a conflict of interest whereby the AGO provides legal advice to parties who may be violating the privacy rights of Californians, the very people the AGO is sworn to protect.
- The civil penalty provisions are likely unconstitutional, as they purport to amend and modify the civil penalty provisions of the California Unfair Competition Law, which cannot be amended through legislation.
- The requirement that private plaintiffs provide notice to the Attorney General before filing suit is unnecessary and imposes administrative costs on the AGO.
- A one-year deadline for the AGO to conduct rulemaking is unattainable. This does not provide sufficient time to issue strong, enforceable regulations.
- The law should include a private right of action for consumers that would allow them to seek legal remedies in order to protect their privacy, rather than just for a data breach.
Outcome. The Attorney General generally had more success at convincing the legislature to adopt its proposed changes than the Industry and the Advocates. The amendments:
- Extend the period of time for Attorney General rulemaking by 6 months, to July 1, 2020. Until this time, the AG cannot prosecute under the Act.
- Clarify and limit the private right of action to violations where there is a data security breach of nonencrypted or nonredacted personal information, and the breach is a result of the business’s violation of the duty to implement and maintain reasonable security measures.
- Remove the requirement that a consumer must first give notice to the Attorney General within 30 days of filing a civil action and wait 6 months to see if the Attorney General pursues the action.
- Limit monetary penalties by the Attorney General to $2,500 for each violation and $7,500 for intentional violations, and remove any references to California’s Unfair Competition Law.
Finally, though not addressed in the Industry, Advocate, or Attorney General letters, SB 1121 clarifies that the Act does not apply to speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.
Though SB 1121 made both substantive and technical changes to AB 375, it is clear that many concerns remain for the Industry, the Advocates, and the California Attorney General. As such, further amendments by the legislature are expected prior to the law coming into effect. WSGR will continue to monitor developments and provide updates.