On May 1, 2019, WSGR held a panel discussing state and federal legislative privacy developments, including the California Consumer Privacy Act (CCPA). The panel, moderated by Chris Olsen, featured Ashkan Soltani, former chief technologist at the Federal Trade Commission (FTC), and Shaundra Watson, the senior director for policy at BSA (The Software Alliance). Here are the key takeaways from the discussion:
- Soltani, a chief architect of technical and operational aspects of the CCPA, discussed the legislative history of the Act, from its inception as a ballot measure to the 45 proposed amendments currently pending. He noted some of the challenges with drafting the legislation, including aligning multiple editors, developing requirements for access and authentication, and making such requirements technically sound while avoiding significant changes to the bill.
- Soltani addressed recent amendments coming out of the Consumer Protection Committee of the California Legislature. He discussed a proposed amendment to remove “household” from the definition of “personal information.” Soltani stated that “household” was not originally included in the definition of personal information in the ballot initiative, but was added by the committee out of concern that shared devices, such as smart TVs, were profiling consumers. While noting the validity of this concern, Soltani recognized that the inclusion of “household” complicated the access right and the ability to verify consumer requests.
- Soltani also discussed a proposed amendment to exempt employees from the bill’s coverage. He stated that the Legislature will likely land on a position where the distinction between employees and consumers is contextual, such that information within the context of an employer/employee relationship will be exempt from the law, but employees will be covered when acting as consumers.
- Turning to the controversial issue of the private right of action, Soltani noted the Attorney General supports expansion of the private right of action to cover all violations of the CCPA, instead of just breaches. Alastair Mactaggart, however, the sponsor of the ballot initiative, is unlikely to support such an expansion as he believes a limited private right of action was a central compromise made to support passage of the bill.
- Shaundra Watson, as a representative of the global software industry, discussed operational and policy issues presented by the CCPA. Watson noted the necessity of addressing contractors in any exemption for employee data, and echoed the concerns raised earlier regarding providing access to “household” information. She emphasized the importance of ensuring that CCPA requirements do not undermine consumer protection, such as by requiring businesses to re-link data to provide access, or by failing to recognize a comprehensive fraud prevention exception in the bill. Watson noted the critical interplay between the legislative and rulemaking processes in California, and the importance of staying abreast of developments on both fronts when considering compliance obligations.
- The panel addressed federal privacy legislation as well, noting that the momentum for federal legislation has never been greater than it is today. Watson discussed the BSA’s proposal for legislative principles, including: individual rights, such as access, correction, and deletion; an opt-out of the processing of personal information; a definition of sensitive personal information, as well as an opt-in for the collection of sensitive personal information; a discrimination provision; a deception provision; a requirement to employ reasonable security measures; and provisions governing data use. Most notably, Watson highlighted the need for consistent, comprehensive, and robust national standards that go beyond the sale of information to address how an organization may build a privacy program.
- The panel also focused on federal preemption. Soltani noted the challenges of preemption given the public statements against preemption from California members of Congress. Watson repeated the need for a single baseline standard as different states begin to legislate in this area.
The discussion reflected the complexities that exist with efforts to legislate on privacy issues at the state and federal level. WSGR will continue to monitor further legislative developments.