California Privacy Law Looms

By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She is currently writing a book about textile artisans.

As the Trump administration seeks to upend the influence California has in setting national fuel emissions policy for the auto industry, the new California Consumer Privacy Act (CCPA is scheduled to come into effect on 1st January.

Businesses are racing to comply (see Trump Seeks to Revoke California Emissions Waiver; see also Trump challenges California’s power to regulate vehicle emissions, for Trump efforts subsequent to my post, which I may write up at some future date).

The state passed the CCPA in July 2018, the first legislation of its kind in the US. In the absence of any federal initiative, this  bellwether may become the de facto model or even floor for other state efforts, just as has occurred in the area of auto emissions.

The CCPA forestalled a more expansive ballot initiative, which was pending at the time of passage (see California Passes Online Privacy Law). More than 500,000 businesses meet the criteria that makes them subject to its terms, not all of them based in California.

The Wall Street Journal reported Sunday in Businesses Across the Board Scramble to Comply With California Data-Privacy Law:

Starting next year, all California residents will have the right to ask retailers, restaurants, airlines, banks and many other companies to provide them with any personal information they may have, including individual contact information, purchases and loyalty-program history. Consumers also can ask that businesses delete their information, or opt out of letting it be sold.

But the law, which passed last year and goes into effect Jan. 1, applies to any for-profit business that does business in California and collects data on California residents, as long as its annual revenue tops $25 million, or it holds personal information on at least 50,000 consumers, or it generates at least 50% of its annual revenue from selling user data. Even companies with no physical presence in California but a website that serves Californians are preparing to comply.

Even though the California law was passed last summer, many companies adopted a wait-and-see attitude during the amendment and rule-making process and failed to take timely  steps to ensure their compliance by January 2020. In fact, in a survey PricewaterhouseCoopers conducted last year, only 52% of respondents said they expected their company to be compliant by the legislation’s effective date, as reported by the WSJ.

Forbes fleshed out what the CCPS will do, in A New California Privacy Law Could Affect Every U.S. Business—Will You Be Ready?:

The CCPA will enable individuals to take a more active role in monitoring and protecting their personal information. Although the regulation consists of complex data safeguards, consumer rights can be grouped into five high-level categories:

  1. Businesses must inform consumers of their intent to collect personal information.
  2. Consumers have the right to know what personal information a company has collected, where the data came from, how it will be used, and with whom it’s shared.
  3. Consumers have the right to prevent businesses from selling their personal information to third parties.
  4. Consumers can request businesses to remove the personal information that the business has on them.
  5. Businesses are prohibited from charging consumers different prices or refusing service, even if the consumer exercised their privacy rights.

California Standard Compared to EU Regulation

What will the CCPA, compared to the standard set up the EU’s General Data Protection Regulation?

As Roll Call reports, California sees push on data privacy:

The California law in some cases is tougher than the European Union’s General Data Protection Regulation, or GDPR, that went into force last year.

The GDPR and California privacy laws offer affirmative rights to consumers with respect to data being collected on them by online companies…

While GDPR considers personal information as anything that is directly or indirectly identified or identifiable with an individual, the California law goes further, covering not only an individual but also data belonging to a household.

The CCPA also includes under “personal information” inferences that can be drawn from disparate data sets using artificial intelligence algorithms.

CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Hail Mary Passes: Last-Minute Amendments

Considerable lobbying activity is still underway to amend aspects of the law before California’s legislative session for this year closes at the end of the week.

As Roll Call reports:

Retailers, online advertisers, small businesses and groups representing employers are all seeking either exemptions or amendments to the California Consumer Privacy Act, or CCPA, which has set the stage for a national debate on how companies should safeguard users’ personal information online.

The state’s constitution requires that all amendments and bills for the legislature’s consideration be filed and printed 72 hours before the end of the session, making Monday the deadline for proposing changes to the law. The assembly ends its session for the year on Friday.

The International Association of Privacy Professionals is following the progress of all proposed changes and reports 10 amendments are still in play, whilel 8 are moribund, according to Roll Call. Two are worth examining further here.

First, according to Roll Call:

Of the several changes sought by companies in California, one of the main ones that has gained traction is an amendment that would grant a one-year exemption for companies collecting data on employees and job applicants from being considered “consumers” under the law. The amendment has cleared the state’s Senate Judiciary Committee and now awaits passage in the full upper chamber before being approved by the assembly and heading to the governor’s desk.

Under the expansive definition of personal information in the law, several scenarios that have nothing to do with consumers could be affected, including data collected by employers on employees, [Sarah Boot, policy advocate on privacy issues at the California Chamber of Commerce] said.

Left unaddressed, the law would have covered all employee emails, internal discussions on projects, and potentially employees’ internet search history on a company’s computers, Boot said. Without the amendment, the law would also have allowed employees to demand that employers delete all their emails, potentially destroying any evidence in cases involving sexual harassment and other workplace misbehavior, she said.

The amendment would allow employee data to be exempt from the law for one year, while companies and labor unions work to come up with a compromise on what data can be collected by employers and how it should be stored and used, Boot said.

And a second significant issue still in play: customer loyalty programs:

Another proposed change that is unlikely to survive is a push by retailers and advertisers to exempt customer loyalty programs from the law’s provisions. Companies tried to argue that consumers would stand to lose if a grocery chain is not allowed to share customer details with say a gas station chain or similar arrangements among airlines, hotels and car rental companies.

Nevertheless, retailers and lobbyists are pushing to exclude loyalty programs from CCPA’s purview, said Dan Jaffe, executive vice president at the Association of National Advertisers. “A vast number of American consumers are part of loyalty programs and if the California law disallows companies from selling any consumer data it would undermine all loyalty programs,” he said.

Will these efforts to restrict the range of the statute prevail? I cannot hazard a guess. Yet whether or not they do, the overall CCPA framework will go into effect in 2020, thus according at least some in the United States levels of digital privacy protection (somewhat) comparable  to those offered to EU residents.

 

Print Friendly, PDF & Email

10 comments

  1. Alex

    This is a step in the right direction. What is really interesting is how the regulators and courts will apply this law, which is a bit vague.

    I’m working in the GDPR area in an industry affected by it, and I see that companies mostly comply with it (it’s been more than a year since it went into effect) however there are many grey areas where you can interpret the law one way or another.

    We’ll see how it will play out in the U.S.

    Reply
  2. Anon

    Of the several changes sought by companies in California, one of the main ones that has gained traction is an amendment that would grant a one-year exemption for companies collecting data on employees and job applicants from being considered “consumers” under the law.

    Why should companies collecting information on job applicants and employees be exempted? How do these people (employee or employer) determine that the information is accurate? Wouldn’t it be better to make the information available to both parties and ask for an explanation? If the information is inaccurate then it can be corrected.

    The problem with much of the clandestine data gathering is that it’s being used to make someone a profit (looking at you, Sergei!) and not being used transparently.

    Reply
    1. danny

      For what it’s worth, CCPA is a consumer privacy law. It wasn’t intended as a broader privacy law. There are other factors at play in the employer relationship that should be written into the law and potential conflicts with other laws that need to be considered and addressed.
      I’m a big fan of an omnibus privacy law – like GDPR – so it pains me a little to say that the California legislature should set aside the employment relationship for now to get it right.

      Reply
  3. Summer

    Non-profits should be included.
    So many of them are just fronts for some kind of profiteering or another.
    Political parties and consultants come to mind.

    Reply
    1. danny

      The law applies broadly enough that many non-profits will get swept up in it. However, it won’t stop people from using non-profits for profiteering. It’s a privacy law after all.

      Reply
  4. Dan

    Do your part: give erroneous information whenever you are asked for it:

    “Want to join our loyalty club?”

    “Sure!”
    “What’s your phone number?” make one up.
    “Do we have your email?” Make one up.

    All this is pointless if you use a credit card. So pay cash for small purchases and to guarantee your privacy.

    Never register for warranties, that is a major data harvesting point. Or, use a fake name, address and email. If you ever need to invoke the warranty, “correct the mistakes” i.e. “We moved”. Or just tape receipts to the bottom of appliances and take them back if broken. Raise a stink and hog space and time at the customer service desk until they give you something.

    Reply
  5. danny

    Most companies are still waiting to see what the legislature does in the next few weeks. Or at least that’s what I’m hearing and seeing.
    One way to see how seriously companies are taking CCPA obligations is to watch job boards in this space. I’ll post a link to a niche board below. What I see across the board is that so few companies are hiring relative to the need. It’s unlike what happened with GDPR where companies a started hiring about a year out.
    https://iapp.org/connect/career-central/#!#job-board

    Reply
  6. Oh

    I wonder whether this law protects all the info that K thru 12 student give away by using a Chromebook (generously donate by Google) which are necessary to submit homework assignments, etc. Surely, there’s a lot of private info being stolen by Google!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *