A New Day for Privacy Dawns in California
Written by Joseph Jerome, Michelle De Mooy
California’s passage of AB 375, the California Consumer Privacy Act of 2018, reshapes the conversation about privacy law and regulation in the United States (the convoluted process by which the law was enacted, and why it was enacted, is a story in its own right). Just as the passage of the nation’s first data breach notification law in California (SB 1386) galvanized other states, AB 375 is likely to spread around the country in the wake of continued public dissatisfaction about commercial data practices. With sweeping jurisdiction and unprecedented mandates, the bill sends a powerful privacy populism message from the world’s fifth largest economy to companies consuming the glut of consumer data now available to them.
Amidst a flurry of commentary in support of and opposed to the aims of the new law, CDT annotated key issues and concerns in the legislation, and we intend to track how these provisions are debated and potentially changed before January 1, 2020. Below, we highlight five areas of the law that will require additional consideration from legislators, advocates and industry.
Understanding the provisions of the California Consumer Privacy Act is challenging, largely because of the law’s reliance on legal definitions derived from the California privacy ballot initiative, which AB 375 was designed to supplant. Especially problematic is the law’s detailed definition of “personal information,” which includes everything from olfactory information and biometrics to technical identifiers like cookies and pixel tags, going beyond the state’s definition in its data breach notification statute.
But California legislators could have considered another proposal to find a slightly more cabined definition of personal information (from a 2013 California Attorney General report): “Any data linked to a person or persistently linked to a mobile device: data that can identify a person via personal information or a device via a unique identifier. Included are user-entered data, as well as automatically collected data.” Instead, AB 375’s definition covers “information that . . . is capable of being associated with . . . a particular consumer or household,” implicating most data about customers held by companies. This definition intersects with numerous provisions in the law, but a big question is whether it will be feasible for companies to provide access to such a breadth of information and whether this information will be useful to individuals. Another concern is the exclusion of “publicly available information” from the definition, though the law appears to recognize “aggregate consumer information” can also be sensitive by further excluding it from the definition of “publicly available information.”
AB 375 attempts to mitigate concerns around the breadth of the personal information definition by limiting disclosure and access rights to “specific pieces of information [a business] has collected” about individuals. It’s not clear, however, what constitutes a “specific” piece of data. For example, personal information also includes unique identifiers like “beacons, mobile ad identifiers, or similar technology.” Will companies be required to provide users with an array of IP addresses collected about them?
Online advertisers are also rightly worried about the bill’s expansive definition of personal information. Third-party advertisers have long argued that they do not use personal information as more typically, and narrowly, defined; instead, advertising technologies rely on “device-identified information” which is distinct from de-identified data. It is unclear how the California Attorney General will square a broad definition of personal data that specifically calls out technical information with an exception for de-identified information that is protected by both technical and administrative safeguards.
Unclear Deletion and Access Rights
AB375 establishes new individual rights for Californians that echo those in the EU General Data Protection Regulation (GDPR), such as transparency, access to the personal information held by a company, and the ability to request deletion of that information. The law’s access and deletion provisions (and ability to opt-out of the sale of personal information) could serve as important checks on the data ecosystem, particularly in the opaque world of retailers and data brokers keen to amass rich sets of information without much consumer transparency.
Data portability is also endorsed in the law. Requiring U.S. companies to provide personal information in “a portable and, to the extent technically feasible, in a readily useable format” is an important, and positive, milestone in American privacy law. As CDT has previously stated, personal data portability — and data interoperability — are important tools to empower individuals, promote competition and create accountability in the data-driven world.
But data portability is no panacea, and AB 375’s new rights in other areas are not as nuanced as those found in the GDPR. For example, the California law’s access rights emphasize disclosure of “categories” of information, which doesn’t provide much insight for consumers into the information collected and used about them, let alone elucidate what it would mean for a person to move their personal information in bulk from one place to another. The deletion provisions may prove especially contentious, with some concern that they raise constitutional questions and leave the deletion decision ultimately up to the judgment of covered entities. While other provisions in the law apply to personal information “about the consumer,” consumers only have a right to request deletion of information “collected from the consumer.” How this narrowing of the deletion right will impact corporate data collection practices will be open for further discussion.
Additionally, businesses are not required to comply with deletion requests where “reasonably anticipated within the context of a business’s ongoing business relationship” or for any internal uses that are either with a user’s privacy expectations or “compatible with the context” in which the information was provided. Though there may be reasonable exceptions for deletion, these provisions effectively give businesses unlimited flexibility in determining whether to grant user requests, turning a “right to deletion” into a right to “request and hope for deletion.”
Critics of AB 375 have already raised the specter that the law’s disclosure and deletion rights conflict with First Amendment and Takings Clause rights protected under the U.S. Constitution. The Takings Clause argument rests on the notion that regulations that substantially interfere with a business’s use of data that it has collected or processed may require compensation under the Fifth Amendment. Critics have also seized upon the Supreme Court’s 2011 decision in Sorrell v. IMS Health Inc. to argue that because data collection aids in marketing, it is protected by the First Amendment. While these arguments will require much more detailed analysis, CDT has explained in the past that the Supreme Court’s decision explicitly noted that statutes that put in place more comprehensive privacy rules “would present quite a different case than the one presented here.” AB 375 may be that law.
Non-Discrimination Provisions and “Pay-for-Privacy”
One important aim of the law is to limit company’s ability to punish consumers for their efforts to opt-out of data-driven business practices. Doing this, however, is easier said than done, and it is not clear AB 375’s has effectively struck this balance.
The California privacy ballot initiative contained a broad non-discrimination provision that prohibited companies from discriminating against individuals by “charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties” or “providing a different level or quality of goods or services to the consumer” if they opted out of allowing companies to sell their information. Critics argued that this would inhibit everything from new privacy-protective business models to even outlawing personalized coupons. While AB 375 retains these prohibitions, it also permits different prices or levels of service if that difference is “reasonably related to the value provided to the consumer by the consumer’s data.” It is unclear how anyone — companies, regulators or individuals — will be able to evaluate “value” in this context.
But then, according to the California Senate Judiciary Committee, the law includes provisions that may serve as “an endorsement of pay-for-privacy type practices” that make the law “internally inconsistent.” It attempts to provide a set of caveats to financial incentive programs that echo suggestions previously recommended by CDT in the context of broadband data collection and use. For instance, AB 375 calls for notice of any financial incentives and opt-in consent requirements, and prohibits incentive programs that are “unjust, unreasonable, coercive, or usurious.” Similar to the benign sounding “financial incentives” offered to employees that enroll in employee wellness programs, which in practice serve as privacy penalties for under resourced employees, “pay for privacy” programs such as this raise serious fairness and equity issues that require more comprehensive public debate.
The Role of the California Attorney General
Much depends also on the role of the California Attorney General. The law specifically instructs that “[a]ny business or third party may seek the opinion of the Attorney General for guidance on how to comply with [AB 375].” The law also gives the Attorney General broad rulemaking authority with respect to clarifying the scope of “unique personal identifiers” and what constitutes a “verifiable consumer request” under the law, among other provisions. Fortunately the Attorney General has a year and some change to review and consider provisions before being called upon to provide guidance on of the law.
The Attorney General will also need to both defend the law in court and act as its primary enforcer. The California privacy ballot initiative’s expansive private right of action has been limited to only certain types of data breaches where there is an “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” (However, the drafting of the relevant provision is such that litigators could argue that the private right extends to other elements of AB 375.)
Companies are also afforded a period in which to cure violations, and importantly, the Attorney General is able to intervene to bring its own enforcement action or delay any private suit. But it is difficult to imagine how exactly a company would “cure” something like a data breach considering the many unknown variables that come with an attack.
Speedy policymaking rarely serves up sound policy and the problems in AB 375 are the byproduct of hasty legislating. The law lacks a private right of action for privacy violations; may do little to limit some of today’s most pervasive and invasive data practices like deceptive interface design, cross-device tracking, and device fingerprinting; and unnecessarily resorts to a notice-and-consent regime that has proven ineffectual for privacy protection.
But AB 375 is ultimately a crucial step towards the recognition that privacy rights are neither just about transparency, nor only access, deletion and portability. Privacy is a multi-layered human right that necessarily implicates questions of fairness, ethics and context, few of which are addressed in much depth in AB 375. This is not a perfect law, with its confusing provisions that aren’t responsive to key privacy harms and that are too open to interpretation. California has once again brought us closer to the enactment of a long-overdue federal privacy law in the U.S., one that offers some real protections for individuals and certainty for companies while finally making clear that our privacy rights should not end as we travel the data-driven and data-paved highway — in or out of California.
Privacy is a multi-layered human right that necessarily implicates questions of fairness, ethics and context.