[{"innerBlocks":[],"name":"core\/freeform","postId":1055,"blockType":{"name":"core\/freeform","keywords":[],"attributes":{"content":{"type":"string","source":"html"},"lock":{"type":"object"}},"providesContext":[],"usesContext":[],"supports":{"className":false,"customClassName":false,"reusable":false},"styles":[],"variations":[],"apiVersion":2,"title":"Classic","description":"Use the classic WordPress editor.","category":"text"},"originalContent":" $\"\"$ \n\nIn response to controversies concerning consumers\u2019 personal information, such as the Facebook\/Cambridge Analytica controversy, and a California ballot initiative that qualified for the November ballot and proposed the California Consumer Privacy Act (\u201cCCPA Initiative\u201d), the legislature in California responded with AB-375, which proposed an alternative version of the California Consumer Privacy Act of 2018. The authors of AB-375 worked out a compromise with the sponsors of the CCPA Initiative, and AB-375 was passed and signed by Governor Jerry Brown, becoming the California Consumer Privacy Act of 2018, codified at Title 18.1.5 of the California Civil Code (the \u201cCCPA\u201d). We have written about the CCPA here<\/a> and here<\/a>. The CCPA becomes effective January 1, 2020, though practically, businesses will need to start data mapping and recordkeeping on January 1, 2019, to be able to be in compliance upon the effective date. The legislature has already started a process of potentially amending the CCPA through SB-1121, which was originally intended as a different alternative to the CCPA Initiative (\u201cOld SB-1121\u201d). SB-1121 was amended on August 6, 2018, to refine the CCPA (\u201cNew SB-1121\u201d).\u00a0 However, as Santa Clara University School of Law Professor Eric Goldman states in his recent article Recent Developments Regarding the California Consumer Privacy Act<\/em><\/a>, New SB-1121 \u201crepresents less than 1% of the obviously needed changes to the bill.\u201d Professor Goldman\u2019s article does a good job of identifying errors and problems that he has collected through crowdsourcing and of summarizing proposed changes that have been submitted to the bill\u2019s authors by leading industry groups led by the Association of National Advertisers (\u201cANA\u201d)(\u201cANA Coalition Proposal\u201d), as well as from public interest groups, including the Electronic Frontier Foundation (\u201cEFF\u201d). On August 24 New SB-1121 was further amended (\u201c8\/24 Amendment\u201d), adding some additional notable changes such as expanding the carve out of data regulated by federal and state privacy laws for healthcare entities and financial institutions, providing for immediate preemption of local laws, and delaying enforcement of the CCPA by the Attorney General until the earlier of six months from adoption of regulations or July 1, 2020.\u00a0 A copy of the current bill as of August 24 is here<\/a>. Unfortunately, even with the August 24 additions, much remains to be fixed and in this post, we point out issues the legislature should address.\n\n\n\nThe original New SB-1121 would amend the CCPA in the following modest ways:\n
\n \t
A business would not be required to disclose a consumer\u2019s deletion right on its website or in its online privacy policy(ies). Rather, it must provide notice \u201cin a form that is reasonably accessible to consumers.\u201d Thus, a business could provide notice through its privacy policy but is not required to.<\/li>\n \t
Adds a Section (k) to 1798.145, which states that the rights and obligations under the CCPA do not apply if they infringe on a business\u2019 noncommercial speech rights. This is a further attempt to guard against a First Amendment challenge to the law.<\/li>\n \t
Adds a sentence to 1798.150(c) clarifying that the private right of action set forth in \u00a7<\/strong>1798.150(a) only applies to \u201cviolations\u201d that are security incidents as described in CA CIVIL CODE \u00a7<\/strong>1798.150(a). This merely clarifies the provision, presumably to try to address ambiguities from the use of the term \u201cviolations\u201d of the CCPA, which itself has no security duty provisions other than in the remedy provision itself.<\/li>\n \t
Adds that the CCPA will not apply if its application is preempted by or is in conflict with the US Constitution. The CCPA, as passed, already stated that it will not apply if its application is preempted by or is in conflict with federal law or the California Constitution.<\/li>\n \t
Makes various grammatical, technical and clarifying changes to the CCPA. For example, it would change \u201cbusiness\u2019\u201d to \u201cbusiness\u2019s\u201d and \u201copt out\u201d to \u201copt-out.\u201d<\/li>\n<\/ul>\nThe 8\/24 Amendment proposes other material changes, such as:\n
\n \t
Prohibiting application of the Act to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (governing financial institutions) or the CA Financial Information Privacy Act, or protected health information collected by a covered entity or business associate governed by the federal Health Insurance Portability and Accountability Act or medical information governed by the CA Confidentiality of Medical Information Act. This expands existing carve outs.<\/li>\n \t
Further clarifies that the private right of action is limited to the type of data security incident defined in subsection (a) of Section 1798.150 and not any other violations of \u201cany other sections of this title.\u201d<\/li>\n \t
Revises the definition of personal information to clarify that data that falls into the categories of personal information described will only be personal information if \u201cit identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.\u201d In other words, data falling into one of the specified categories is not per se personal information.<\/li>\n \t
Changes the civil penalty provisions available to the Attorney General by (i) making them independent of Section 17206 of the Business and Professions Code; and (ii) providing that penalty for each violation can be up to $7500 regardless of intent (intent currently required to exceed $2500 per violation).<\/li>\n \t
Removes the one year requirement for the Attorney General to establish certain rules and procedures (e.g., opt-out), puts a deadline of July 1, 2020 on the Attorney General to adopt regulations furthering the purpose of the Act, and limits enforcement by the Attorney General until six months thereafter, or July 1, 2020, whichever is sooner.<\/li>\n \t
Makes the preemption of local laws immediate.<\/li>\n<\/ul>\nIn the remainder of this post, we will discuss some of what the legislature should consider addressing as part of SB-1121, or otherwise.\n\nFirst, it is worth noting what was scrapped when amending SB-1121. Old SB-1121 would have amended California\u2019s data breach laws under Title 1.81 of the Civil Code in a manner that would increase consumer remedies when it comes to such breaches and do so beyond what the CCPA provides. For example, under current California data breach law, \u201ccustomers\u201d may bring an action for damages incurred arising out of a business\u2019 violation of data security laws. Old SB-1121 would have expanded the scope of data breach laws to \u201cconsumers,\u201d defined as any natural person, and provided for statutory penalties for data breach and breach notification violations. The CCPA\u2019s new private right of action is more limited, restricting statutory damages to where there is insufficient cure after notice and requiring notice to the Attorney General and the ability for the Attorney General to stop the private action from proceeding. However, neither the CCPA nor SB-1121 changes the existing private right of action under Title 1.81. SB-1121 should be further amended to do away with the private right of action under Title 1.81 and have the new private right of action under Title 1.81.5 be the exclusive private right of action for data security failures. Moreover, Old SB-1121 proposed to expand the coverage of California\u2019s Shine the Light Act beyond California \u201ccustomers\u201d to \u201cconsumers\u201d (i.e., natural persons), with respect to non-compliance with the Shine the Light Act\u2019s transparency and choice requirements regarding sharing of personal information for third-party direct marketing purposes. These provisions were dropped in New SB-1121, but New SB-1121, as revised by the 8\/24 Amendment, does nothing to try to harmonize California\u2019s Shine the Light Act with the much more comprehensive consumer privacy rights of the CCPA. SB-1121 should be further amended to repeal the Shine the Light Act all together.\u00a0 Otherwise, covered businesses will struggle with two different but overlapping California transparency and choice regimes \u2014 including the need to post homepage links on their web sites to both a \u201cYour California Privacy Rights<\/u>\u201d link to a Shine the Light Act rights notice and a \u201cDo Not Sell My Personal Information<\/u>\u201d link to the CCPA opt-out.\n\nLobbyists for both industry and consumer groups are pushing for a variety of changes.\u00a0\u00a0 However, it is unlikely that SB-1121 will be used to substantially water down the CCPA, as the 8\/24 Amendment reflects.\u00a0 The legislative history of both AB-375 and SB-1121 indicates that the ballot initiative sponsors have promised to revive the initiative if that is done. Rather, expect SB-1121 to refine the law, fix conflicts and unintended consequences and possibly better harmonize it with other California data privacy and security laws, such as Shine the Light (regulating sharing of personal information for third-party marketing), Cal. OPPA (regulating online privacy and privacy policies) and data security and breach notification laws. A delay in enforcement proposed by the 8\/24 Amendment seems possible, especially since it is prudent to provide time for regulations to be promulgated and taken into account by businesses.\u00a0 The EFF and other groups are pushing not to water down, but to further expand, consumer rights under the CCPA. For instance, the EFF\u2019s proposals<\/a> include expanding the private right of action to any breach of the CCPA\u2019s obligations, including privacy transparency and choice requirements. The legislative history of the CCPA and reports<\/a> of what went on behind the scenes to reach the compromise indicate that a very narrow private right of action was a key issue for industry, and AB 375\u2019s authors accepted that as fundamental to the compromise.\u00a0 However, as noted below, that intent could be better clarified and it appears from the 8\/24 Amendment that there is interest by the legislature in doing so.\n\nIn addition to harmonizing Title 1.81 and new Title 1.81.5 to repeal the Shine the Light Act and Title 1.81\u2019s private rights of action, as already discussed, a few of the things we would like the California legislature to consider include:\n
\n \t
The ANA Coalition proposal<\/a>, in particular regarding the definition of personal information, deidentified and aggregate data, data portability, detailing specific pieces of personal information on a customer-specific basis, allowing less than an all-or-nothing opt-out of sales, clarifications on incentive and loyalty programs, better cleaning up of conflicts with existing federal laws (which is addressed in the 8\/24 Amendment) and regarding interest-based advertising.<\/li>\n \t
Businesses must list the categories of personal information disclosed for a business purpose in the preceding 12 months (or if the business has not disclosed consumers\u2019 personal information for a business purpose in the preceding 12 months, the business must state that). However, there is no obligation to include a list of categories of personal information disclosed for a commercial purpose in the preceding 12 months. This distinction between the underlying purposes does not apply with respect to categories of personal information collected, just disclosed. Was this intentional or a drafting error?<\/li>\n \t
The CCPA is internally inconsistent as to whether or not the online notice needs to include the categories of sources from which personal information is collected, the categories of third parties with which personal information is disclosed and the specific pieces of personal information collected about a specific consumer. This should be clarified. Obviously, the last could not be done in a general notice.<\/li>\n \t
The CCPA permits transfers to a third party the of personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with 1798.110 and \u00a71798.115. If the recipient in such a transaction materially alters how it uses or shares the PI of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it needs to provide prior notice of the new or changed practice to the consumer. However, \u00a7<\/strong> 1798.110 and \u00a7<\/strong> 1798.115 are the sections that set forth notice and disclosure requirements of consumer rights under the CCPA regarding businesses that collect personal information, sell personal information or disclose personal information for a business purpose. Presumably, the intent is that the data continue to be used and shared as described in the privacy policy or notice that included those CCPA rights disclosures. However, that is not what the Act explicitly states.<\/li>\n \t
The definition of business includes, \u201c[a]ny entity that controls or is controlled by a business, as defined in subparagraph (1), and that shares Common Branding [\u201cshared name, servicemark, or trademark\u201d] with the business.\u201d As such, the CCPA essentially requires all of the members of a similarly branded family of companies that have an entity that meets the definition of business to also be treated as a covered business.\u00a0It is not clear if the intent is that the commonly branded entities must or can be treated as a single business under the CCPA.<\/li>\n \t
The CCPA will regulate \u201cpersonal information,\u201d broadly defined as \u201cinformation that identifies, relates to, describes, is capable of being associated with<\/em><\/strong> or could reasonably be linked, directly or indirectly<\/em> with a particular consumer or household<\/em>.\u201d This includes information collected both online and offline. It is hard to imagine what data about a person is not capable of being associated with<\/em> a particular consumer or household. For instance, demographic data alone (e.g., gender, profession, race) is capable of being associated with a person, but alone, it will not reasonably enable their identification or be reasonably linked to a specific person. Compare this to the definition of personal information under Title 1.81 of the California Civil Code, which includes California\u2019s customer records security and breach laws, and the Shine the Light Act\u2019s marketing transparency and choice requirements. In that title, there is a top-level definition of personal information that includes \u201cany information \u2026 capable of being associated with a particular individual\u201d to which the duty of reasonable security under the circumstances applies, but more narrow definitions are used regarding a customer\u2019s rights regarding sharing for third-party marketing purposes (\u201cany information that when it was disclosed<\/u> identified, described or was able to be associated with<\/em> an individual\u2026.)\u201d and regarding the type of data that will trigger a breach notification obligation (first initial or name and last name plus an account number or ID number and password). While a broad definition arguably has utility with respect to providing notice of what data is collected, when applied to what data is disclosed or sold, and even more so as applied to opt-out, portability and deletion rights, it is likely practically unworkable. This problem is made worse by the CCPA\u2019s ambiguities regarding deidentified data and aggregate consumer information, discussed below. The 8\/24 Amendment\u2019s revision of the definition of personal information does not reach this issue.<\/li>\n \t
The definition of PI under the CCPA does not include publicly available information. \u201cPublicly available\u201d is defined as \u201cinformation that is lawfully made available from federal, state or local government records, if any conditions associated with such information<\/em>.\u201d The italicized language seems to be a typo or an incomplete thought. Further, under the Act, information is not \u201cpublicly available\u201d if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. Practically, this likely precludes many, if not most, uses by a business, given that their uses will rarely be the same as the government\u2019s purpose, at least with respect to most commercial purposes. Also included in the provision regarding what is not personal information is deidentified data and aggregate consumer information, suggesting that these types of data are intended to be excluded from the definition of personal information, but this is unclear as the law is currently worded. The CCPA states \u201c\u2018Publicly Available\u2019 does not include consumer information that is Deidentified or aggregate consumer information.\u201d The intent is likely to have used \u201cPersonal Information\u201d rather than \u201cPublicly Available,\u201d given the context. However, Section 1798.145(a)(5) provides that \u201c[t]he obligations imposed on businesses by this title shall not restrict a business\u2019s ability to \u2026 collect, use, retain, sell or disclose consumer information that is deidentified or in the aggregate consumer information.\u201d This would seem sufficient to remove deidentified and aggregate consumer information from the data applicable to deletion and \u201cdo not sell\u201d rights. Practically, portability rights would also not apply, especially since the CCPA provides that there is no obligation to re-identify deidentified data \u201cnot maintained in a manner that would be considered personal information.\u201d However, the other obligations regarding personal information would seem to apply unless the definition of personal information is not clarified to exclude deidentified and aggregate consumer information. Also, the definition of deidentified suffers from the same problem as the definition of personal information \u2014 data \u201ccapable of being associated with \u2026 a particular consumer,\u201d which could be cured by taking a narrower view of personal information as already suggested.<\/li>\n \t
Another ambiguity regarding what is and is not personal information has to do with device identifiers. The definition of personal information is tied to a \u201cparticular consumer or household,\u201d and \u201cdevice\u201d is not included in the definition. However, it is used for purposes of counting \u201cthe personal information of 50,000 or more consumers, households or devices\u201d for reaching the threshold of being a covered business. Further, the examples of personal information, which are also the categories that personal information is to be grouped in for reporting purposes, include Unique IDs and Probabilistic IDs, both of which are said to be tied to a device, and the definition of aggregate consumer information excludes information that is linkable to a device. Accordingly, are browser IDs, cookie IDs, AD IDs and other unique identifiers used to identify a device, or a pseudonymous user, personal information or deidentified? This is particularly relevant given the personal information deletion right. Under a broad interpretation of the Act, such a deletion request could potentially require the deletion of cookies, other device IDs, other unique identifiers and related usage data for many of the purposes for which a business would typically use them that are not included in the exceptions of the deletion requirement. Again, this could be fixed by a much narrower definition of personal information, at least for purposes other than notice of collection.<\/li>\n \t
The CCPA requires a business that collects a consumer\u2019s personal information to, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used. A business cannot collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with such notice. No guidance is given on whether disclosure in a publicly posted privacy policy is sufficient notice. This is particularly relevant when the collection takes place in a context remote from where the privacy policy is posted. For instance, collection includes buying, renting, obtaining or receiving personal information indirectly or passively and\/or from a third party. Other than in a publicly posted privacy policy, how could a business make the required disclosures prior to a third-party transfer where the business has no touchpoint with the data subject? While the recipient business could contractually require the disclosing business to provide the notice prior to its collection, that would not seem to meet the technical requirements of the statute.<\/li>\n \t
Under the CCPA, \u201csell,\u201d \u201cselling,\u201d \u201csale\u201d and \u201csold\u201d are defined as \u201cselling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating a consumer\u2019s personal information to another business or a third party for monetary or valuable consideration.\u201d However, a business does not \u201csell\u201d personal information under the CCPA when a consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of the Act. If the third party that a consumer directs a business to share personal information with is not committing to the business and\/or to the consumer to not sell the personal information, then it appears that this would still be a sale, assuming there is some kind of valuable consideration to the business. This would mean that upon a no-sale request, a business would have to deactivate this kind of sharing. This could arguably present a problem for things like social media plug-ins, where the business implementing the plug-in on its site is arguably obtaining the value of the use of the plug-in (e.g., registering likes of the business or sharing messages about the business). This could be addressed by requiring monetary consideration to rise to the level of sale and\/or providing for other than an all-or-nothing opt-out requirement.<\/li>\n \t
Under the CCPA, consumers have the right to equal service and price, meaning that a business cannot discriminate against a consumer because the consumer exercised any of their rights under the CCPA, subject to certain exceptions. For instance, a business can charge a consumer a different price or rate, or provide a different level or quality of goods or services if the difference in price, rate or quality is \u201creasonably related to the value provided to the Consumer [sic?] by the Consumer\u2019s data.\u201d Presumably, the first use of the word \u201cConsumer\u201d is a typo and intended to be \u201cBusiness.\u201d It would make more sense if this read \u201cvalue provided to the Business by the Consumer\u2019s data.\u201d It will be difficult enough to quantify the value to the business, but seemingly impossible to determine what the value would be to a particular consumer of his own data. The value to a business could arguably be determined by looking at the market for similar data and the cost of acquisition elsewhere, etc., but the value to a consumer seems entirely subjective and not capable of a market-driven appraisal.<\/li>\n \t
As already noted, there is a narrow private right of action under the CCPA, but it is not applicable to violations of the CCPA. Rather, \u201c[a]ny Consumer whose nonencrypted or nonredacted PI, as defined in Section 1798.81.5(d)(1)(A), is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business\u2019 violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute\u201d a private right of action for any of the following: (a) damages not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater, (b) injunctive or declaratory relief and (c) any other relief the court deems proper, IF<\/u> all the following requirements are met:<\/li>\n<\/ul>\n
(1) Before initiating any action on an individual or class-wide basis, the consumer provides the business 30 days\u2019 written notice identifying the specific provisions of the CCPA that the consumer alleges have been or are being violated, and a 30-day opportunity to cure;<\/p>\n
(2) A consumer bringing an action notifies the CaAG within 30 days that the action has been filed; and<\/p>\n
(3) The CaAG, upon receiving such notice, shall, within 30 days, do one of the following:<\/p>\n
\u2022 Notify the consumer bringing the action of the CaAG\u2019s intent to prosecute an action against the violation. If the CaAG does not prosecute within six months, the consumer may proceed with the action;<\/p>\n
\u2022 Refrain from acting within the 30 days, allowing the consumer bringing the action to proceed; or<\/p>\n
\u2022 Notify the consumer bringing the action that the consumer shall not proceed with the action.<\/p>\n
Pursuant to the Act, in assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant\u2019s misconduct and the defendant\u2019s assets, liabilities, and net worth. A business\u2019 timely cure, however, will preclude statutory damages.<\/p>\n
As passed, the CCPA has no express duty regarding data security. It is a little confusing given that the CCPA\u2019s limited private right of action is for security breaches of some of the types of data elements that would trigger a notification requirement under CA Civil Code Title 1.81. Section 1798.82, however, uses slightly different language to define what constitutes a security incident. Further, a consumer\u2019s CCPA cause of action is limited to data security failures following a breach, so it is unclear what violation could be noticed or cured. Moreover, even if the duty of security is implied in the CCPA by the private right of action provision, it is not clear how a business could retrospectively cure a past breach, or if all that would be necessary to cure is to prospectively cure the security inadequacies. New SB-1121 proposed to add a sentence to \u00a7<\/strong>1798.150(c) clarifying that the private right of action set forth in \u00a7<\/strong>1798.150(a) only applies to violations of \u00a7<\/strong>1798.150(a), meaning the occurrence of the type of data breach described therein.\u00a0 The 8\/24 Amendment further clarifies this by adding\u201d and shall not be based on violations of any other section of this title.\u201d\u00a0 These are welcome clarifications.\u00a0 However, the proposals do not address the cure issues, nor harmonize Titles 1.81 and 1.81.5, which now have two different and conflicting private rights of action \u2014 one for customers under Title 1.81 and one for consumers under Title 1.81.5.\u00a0 Further, although Section 1798.185(c) provides, \u201cnothing in this act [title] shall be interpreted to serve as the basis for a private right of action under any other law,\u201d it would be helpful to discourage overzealous plaintiff\u2019s attorneys to better explain what we understand to be the intent and add \u201c, and specifically there shall be no private cause of action to recover remedies available under CA Business and Professions Code Section 17200 or other similar consumer protection laws as a result of a violation of this Title.\u201d<\/p>\nThese are but some of the many problems with the CCPA that New SB-1211 and the 8\/24 Amendment have yet to address. See Professor Goldman\u2019s post<\/a> and the ANA Coalition Proposal<\/a> for more. In addition, for a source of ongoing additional information on the CCPA, see this collection<\/a> of articles and resources curated by George Washington University Law School Professor Daniel J. Solove at his CCPA Resource Center.","saveContent":" $\"\"$ \n\nIn response to controversies concerning consumers\u2019 personal information, such as the Facebook\/Cambridge Analytica controversy, and a California ballot initiative that qualified for the November ballot and proposed the California Consumer Privacy Act (\u201cCCPA Initiative\u201d), the legislature in California responded with AB-375, which proposed an alternative version of the California Consumer Privacy Act of 2018. The authors of AB-375 worked out a compromise with the sponsors of the CCPA Initiative, and AB-375 was passed and signed by Governor Jerry Brown, becoming the California Consumer Privacy Act of 2018, codified at Title 18.1.5 of the California Civil Code (the \u201cCCPA\u201d). We have written about the CCPA here<\/a> and here<\/a>. The CCPA becomes effective January 1, 2020, though practically, businesses will need to start data mapping and recordkeeping on January 1, 2019, to be able to be in compliance upon the effective date. The legislature has already started a process of potentially amending the CCPA through SB-1121, which was originally intended as a different alternative to the CCPA Initiative (\u201cOld SB-1121\u201d). SB-1121 was amended on August 6, 2018, to refine the CCPA (\u201cNew SB-1121\u201d).\u00a0 However, as Santa Clara University School of Law Professor Eric Goldman states in his recent article Recent Developments Regarding the California Consumer Privacy Act<\/em><\/a>, New SB-1121 \u201crepresents less than 1% of the obviously needed changes to the bill.\u201d Professor Goldman\u2019s article does a good job of identifying errors and problems that he has collected through crowdsourcing and of summarizing proposed changes that have been submitted to the bill\u2019s authors by leading industry groups led by the Association of National Advertisers (\u201cANA\u201d)(\u201cANA Coalition Proposal\u201d), as well as from public interest groups, including the Electronic Frontier Foundation (\u201cEFF\u201d). On August 24 New SB-1121 was further amended (\u201c8\/24 Amendment\u201d), adding some additional notable changes such as expanding the carve out of data regulated by federal and state privacy laws for healthcare entities and financial institutions, providing for immediate preemption of local laws, and delaying enforcement of the CCPA by the Attorney General until the earlier of six months from adoption of regulations or July 1, 2020.\u00a0 A copy of the current bill as of August 24 is here<\/a>. Unfortunately, even with the August 24 additions, much remains to be fixed and in this post, we point out issues the legislature should address.\n\n\n\nThe original New SB-1121 would amend the CCPA in the following modest ways:\n
\n \t
A business would not be required to disclose a consumer\u2019s deletion right on its website or in its online privacy policy(ies). Rather, it must provide notice \u201cin a form that is reasonably accessible to consumers.\u201d Thus, a business could provide notice through its privacy policy but is not required to.<\/li>\n \t
Adds a Section (k) to 1798.145, which states that the rights and obligations under the CCPA do not apply if they infringe on a business\u2019 noncommercial speech rights. This is a further attempt to guard against a First Amendment challenge to the law.<\/li>\n \t
Adds a sentence to 1798.150(c) clarifying that the private right of action set forth in \u00a7<\/strong>1798.150(a) only applies to \u201cviolations\u201d that are security incidents as described in CA CIVIL CODE \u00a7<\/strong>1798.150(a). This merely clarifies the provision, presumably to try to address ambiguities from the use of the term \u201cviolations\u201d of the CCPA, which itself has no security duty provisions other than in the remedy provision itself.<\/li>\n \t
Adds that the CCPA will not apply if its application is preempted by or is in conflict with the US Constitution. The CCPA, as passed, already stated that it will not apply if its application is preempted by or is in conflict with federal law or the California Constitution.<\/li>\n \t
Makes various grammatical, technical and clarifying changes to the CCPA. For example, it would change \u201cbusiness\u2019\u201d to \u201cbusiness\u2019s\u201d and \u201copt out\u201d to \u201copt-out.\u201d<\/li>\n<\/ul>\nThe 8\/24 Amendment proposes other material changes, such as:\n
\n \t
Prohibiting application of the Act to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (governing financial institutions) or the CA Financial Information Privacy Act, or protected health information collected by a covered entity or business associate governed by the federal Health Insurance Portability and Accountability Act or medical information governed by the CA Confidentiality of Medical Information Act. This expands existing carve outs.<\/li>\n \t
Further clarifies that the private right of action is limited to the type of data security incident defined in subsection (a) of Section 1798.150 and not any other violations of \u201cany other sections of this title.\u201d<\/li>\n \t
Revises the definition of personal information to clarify that data that falls into the categories of personal information described will only be personal information if \u201cit identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.\u201d In other words, data falling into one of the specified categories is not per se personal information.<\/li>\n \t
Changes the civil penalty provisions available to the Attorney General by (i) making them independent of Section 17206 of the Business and Professions Code; and (ii) providing that penalty for each violation can be up to $7500 regardless of intent (intent currently required to exceed $2500 per violation).<\/li>\n \t
Removes the one year requirement for the Attorney General to establish certain rules and procedures (e.g., opt-out), puts a deadline of July 1, 2020 on the Attorney General to adopt regulations furthering the purpose of the Act, and limits enforcement by the Attorney General until six months thereafter, or July 1, 2020, whichever is sooner.<\/li>\n \t
Makes the preemption of local laws immediate.<\/li>\n<\/ul>\nIn the remainder of this post, we will discuss some of what the legislature should consider addressing as part of SB-1121, or otherwise.\n\nFirst, it is worth noting what was scrapped when amending SB-1121. Old SB-1121 would have amended California\u2019s data breach laws under Title 1.81 of the Civil Code in a manner that would increase consumer remedies when it comes to such breaches and do so beyond what the CCPA provides. For example, under current California data breach law, \u201ccustomers\u201d may bring an action for damages incurred arising out of a business\u2019 violation of data security laws. Old SB-1121 would have expanded the scope of data breach laws to \u201cconsumers,\u201d defined as any natural person, and provided for statutory penalties for data breach and breach notification violations. The CCPA\u2019s new private right of action is more limited, restricting statutory damages to where there is insufficient cure after notice and requiring notice to the Attorney General and the ability for the Attorney General to stop the private action from proceeding. However, neither the CCPA nor SB-1121 changes the existing private right of action under Title 1.81. SB-1121 should be further amended to do away with the private right of action under Title 1.81 and have the new private right of action under Title 1.81.5 be the exclusive private right of action for data security failures. Moreover, Old SB-1121 proposed to expand the coverage of California\u2019s Shine the Light Act beyond California \u201ccustomers\u201d to \u201cconsumers\u201d (i.e., natural persons), with respect to non-compliance with the Shine the Light Act\u2019s transparency and choice requirements regarding sharing of personal information for third-party direct marketing purposes. These provisions were dropped in New SB-1121, but New SB-1121, as revised by the 8\/24 Amendment, does nothing to try to harmonize California\u2019s Shine the Light Act with the much more comprehensive consumer privacy rights of the CCPA. SB-1121 should be further amended to repeal the Shine the Light Act all together.\u00a0 Otherwise, covered businesses will struggle with two different but overlapping California transparency and choice regimes \u2014 including the need to post homepage links on their web sites to both a \u201cYour California Privacy Rights<\/u>\u201d link to a Shine the Light Act rights notice and a \u201cDo Not Sell My Personal Information<\/u>\u201d link to the CCPA opt-out.\n\nLobbyists for both industry and consumer groups are pushing for a variety of changes.\u00a0\u00a0 However, it is unlikely that SB-1121 will be used to substantially water down the CCPA, as the 8\/24 Amendment reflects.\u00a0 The legislative history of both AB-375 and SB-1121 indicates that the ballot initiative sponsors have promised to revive the initiative if that is done. Rather, expect SB-1121 to refine the law, fix conflicts and unintended consequences and possibly better harmonize it with other California data privacy and security laws, such as Shine the Light (regulating sharing of personal information for third-party marketing), Cal. OPPA (regulating online privacy and privacy policies) and data security and breach notification laws. A delay in enforcement proposed by the 8\/24 Amendment seems possible, especially since it is prudent to provide time for regulations to be promulgated and taken into account by businesses.\u00a0 The EFF and other groups are pushing not to water down, but to further expand, consumer rights under the CCPA. For instance, the EFF\u2019s proposals<\/a> include expanding the private right of action to any breach of the CCPA\u2019s obligations, including privacy transparency and choice requirements. The legislative history of the CCPA and reports<\/a> of what went on behind the scenes to reach the compromise indicate that a very narrow private right of action was a key issue for industry, and AB 375\u2019s authors accepted that as fundamental to the compromise.\u00a0 However, as noted below, that intent could be better clarified and it appears from the 8\/24 Amendment that there is interest by the legislature in doing so.\n\nIn addition to harmonizing Title 1.81 and new Title 1.81.5 to repeal the Shine the Light Act and Title 1.81\u2019s private rights of action, as already discussed, a few of the things we would like the California legislature to consider include:\n
\n \t
The ANA Coalition proposal<\/a>, in particular regarding the definition of personal information, deidentified and aggregate data, data portability, detailing specific pieces of personal information on a customer-specific basis, allowing less than an all-or-nothing opt-out of sales, clarifications on incentive and loyalty programs, better cleaning up of conflicts with existing federal laws (which is addressed in the 8\/24 Amendment) and regarding interest-based advertising.<\/li>\n \t
Businesses must list the categories of personal information disclosed for a business purpose in the preceding 12 months (or if the business has not disclosed consumers\u2019 personal information for a business purpose in the preceding 12 months, the business must state that). However, there is no obligation to include a list of categories of personal information disclosed for a commercial purpose in the preceding 12 months. This distinction between the underlying purposes does not apply with respect to categories of personal information collected, just disclosed. Was this intentional or a drafting error?<\/li>\n \t
The CCPA is internally inconsistent as to whether or not the online notice needs to include the categories of sources from which personal information is collected, the categories of third parties with which personal information is disclosed and the specific pieces of personal information collected about a specific consumer. This should be clarified. Obviously, the last could not be done in a general notice.<\/li>\n \t
The CCPA permits transfers to a third party the of personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with 1798.110 and \u00a71798.115. If the recipient in such a transaction materially alters how it uses or shares the PI of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it needs to provide prior notice of the new or changed practice to the consumer. However, \u00a7<\/strong> 1798.110 and \u00a7<\/strong> 1798.115 are the sections that set forth notice and disclosure requirements of consumer rights under the CCPA regarding businesses that collect personal information, sell personal information or disclose personal information for a business purpose. Presumably, the intent is that the data continue to be used and shared as described in the privacy policy or notice that included those CCPA rights disclosures. However, that is not what the Act explicitly states.<\/li>\n \t
The definition of business includes, \u201c[a]ny entity that controls or is controlled by a business, as defined in subparagraph (1), and that shares Common Branding [\u201cshared name, servicemark, or trademark\u201d] with the business.\u201d As such, the CCPA essentially requires all of the members of a similarly branded family of companies that have an entity that meets the definition of business to also be treated as a covered business.\u00a0It is not clear if the intent is that the commonly branded entities must or can be treated as a single business under the CCPA.<\/li>\n \t
The CCPA will regulate \u201cpersonal information,\u201d broadly defined as \u201cinformation that identifies, relates to, describes, is capable of being associated with<\/em><\/strong> or could reasonably be linked, directly or indirectly<\/em> with a particular consumer or household<\/em>.\u201d This includes information collected both online and offline. It is hard to imagine what data about a person is not capable of being associated with<\/em> a particular consumer or household. For instance, demographic data alone (e.g., gender, profession, race) is capable of being associated with a person, but alone, it will not reasonably enable their identification or be reasonably linked to a specific person. Compare this to the definition of personal information under Title 1.81 of the California Civil Code, which includes California\u2019s customer records security and breach laws, and the Shine the Light Act\u2019s marketing transparency and choice requirements. In that title, there is a top-level definition of personal information that includes \u201cany information \u2026 capable of being associated with a particular individual\u201d to which the duty of reasonable security under the circumstances applies, but more narrow definitions are used regarding a customer\u2019s rights regarding sharing for third-party marketing purposes (\u201cany information that when it was disclosed<\/u> identified, described or was able to be associated with<\/em> an individual\u2026.)\u201d and regarding the type of data that will trigger a breach notification obligation (first initial or name and last name plus an account number or ID number and password). While a broad definition arguably has utility with respect to providing notice of what data is collected, when applied to what data is disclosed or sold, and even more so as applied to opt-out, portability and deletion rights, it is likely practically unworkable. This problem is made worse by the CCPA\u2019s ambiguities regarding deidentified data and aggregate consumer information, discussed below. The 8\/24 Amendment\u2019s revision of the definition of personal information does not reach this issue.<\/li>\n \t
The definition of PI under the CCPA does not include publicly available information. \u201cPublicly available\u201d is defined as \u201cinformation that is lawfully made available from federal, state or local government records, if any conditions associated with such information<\/em>.\u201d The italicized language seems to be a typo or an incomplete thought. Further, under the Act, information is not \u201cpublicly available\u201d if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. Practically, this likely precludes many, if not most, uses by a business, given that their uses will rarely be the same as the government\u2019s purpose, at least with respect to most commercial purposes. Also included in the provision regarding what is not personal information is deidentified data and aggregate consumer information, suggesting that these types of data are intended to be excluded from the definition of personal information, but this is unclear as the law is currently worded. The CCPA states \u201c\u2018Publicly Available\u2019 does not include consumer information that is Deidentified or aggregate consumer information.\u201d The intent is likely to have used \u201cPersonal Information\u201d rather than \u201cPublicly Available,\u201d given the context. However, Section 1798.145(a)(5) provides that \u201c[t]he obligations imposed on businesses by this title shall not restrict a business\u2019s ability to \u2026 collect, use, retain, sell or disclose consumer information that is deidentified or in the aggregate consumer information.\u201d This would seem sufficient to remove deidentified and aggregate consumer information from the data applicable to deletion and \u201cdo not sell\u201d rights. Practically, portability rights would also not apply, especially since the CCPA provides that there is no obligation to re-identify deidentified data \u201cnot maintained in a manner that would be considered personal information.\u201d However, the other obligations regarding personal information would seem to apply unless the definition of personal information is not clarified to exclude deidentified and aggregate consumer information. Also, the definition of deidentified suffers from the same problem as the definition of personal information \u2014 data \u201ccapable of being associated with \u2026 a particular consumer,\u201d which could be cured by taking a narrower view of personal information as already suggested.<\/li>\n \t
Another ambiguity regarding what is and is not personal information has to do with device identifiers. The definition of personal information is tied to a \u201cparticular consumer or household,\u201d and \u201cdevice\u201d is not included in the definition. However, it is used for purposes of counting \u201cthe personal information of 50,000 or more consumers, households or devices\u201d for reaching the threshold of being a covered business. Further, the examples of personal information, which are also the categories that personal information is to be grouped in for reporting purposes, include Unique IDs and Probabilistic IDs, both of which are said to be tied to a device, and the definition of aggregate consumer information excludes information that is linkable to a device. Accordingly, are browser IDs, cookie IDs, AD IDs and other unique identifiers used to identify a device, or a pseudonymous user, personal information or deidentified? This is particularly relevant given the personal information deletion right. Under a broad interpretation of the Act, such a deletion request could potentially require the deletion of cookies, other device IDs, other unique identifiers and related usage data for many of the purposes for which a business would typically use them that are not included in the exceptions of the deletion requirement. Again, this could be fixed by a much narrower definition of personal information, at least for purposes other than notice of collection.<\/li>\n \t
The CCPA requires a business that collects a consumer\u2019s personal information to, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used. A business cannot collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with such notice. No guidance is given on whether disclosure in a publicly posted privacy policy is sufficient notice. This is particularly relevant when the collection takes place in a context remote from where the privacy policy is posted. For instance, collection includes buying, renting, obtaining or receiving personal information indirectly or passively and\/or from a third party. Other than in a publicly posted privacy policy, how could a business make the required disclosures prior to a third-party transfer where the business has no touchpoint with the data subject? While the recipient business could contractually require the disclosing business to provide the notice prior to its collection, that would not seem to meet the technical requirements of the statute.<\/li>\n \t
Under the CCPA, \u201csell,\u201d \u201cselling,\u201d \u201csale\u201d and \u201csold\u201d are defined as \u201cselling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating a consumer\u2019s personal information to another business or a third party for monetary or valuable consideration.\u201d However, a business does not \u201csell\u201d personal information under the CCPA when a consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of the Act. If the third party that a consumer directs a business to share personal information with is not committing to the business and\/or to the consumer to not sell the personal information, then it appears that this would still be a sale, assuming there is some kind of valuable consideration to the business. This would mean that upon a no-sale request, a business would have to deactivate this kind of sharing. This could arguably present a problem for things like social media plug-ins, where the business implementing the plug-in on its site is arguably obtaining the value of the use of the plug-in (e.g., registering likes of the business or sharing messages about the business). This could be addressed by requiring monetary consideration to rise to the level of sale and\/or providing for other than an all-or-nothing opt-out requirement.<\/li>\n \t
Under the CCPA, consumers have the right to equal service and price, meaning that a business cannot discriminate against a consumer because the consumer exercised any of their rights under the CCPA, subject to certain exceptions. For instance, a business can charge a consumer a different price or rate, or provide a different level or quality of goods or services if the difference in price, rate or quality is \u201creasonably related to the value provided to the Consumer [sic?] by the Consumer\u2019s data.\u201d Presumably, the first use of the word \u201cConsumer\u201d is a typo and intended to be \u201cBusiness.\u201d It would make more sense if this read \u201cvalue provided to the Business by the Consumer\u2019s data.\u201d It will be difficult enough to quantify the value to the business, but seemingly impossible to determine what the value would be to a particular consumer of his own data. The value to a business could arguably be determined by looking at the market for similar data and the cost of acquisition elsewhere, etc., but the value to a consumer seems entirely subjective and not capable of a market-driven appraisal.<\/li>\n \t
As already noted, there is a narrow private right of action under the CCPA, but it is not applicable to violations of the CCPA. Rather, \u201c[a]ny Consumer whose nonencrypted or nonredacted PI, as defined in Section 1798.81.5(d)(1)(A), is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business\u2019 violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute\u201d a private right of action for any of the following: (a) damages not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater, (b) injunctive or declaratory relief and (c) any other relief the court deems proper, IF<\/u> all the following requirements are met:<\/li>\n<\/ul>\n
(1) Before initiating any action on an individual or class-wide basis, the consumer provides the business 30 days\u2019 written notice identifying the specific provisions of the CCPA that the consumer alleges have been or are being violated, and a 30-day opportunity to cure;<\/p>\n
(2) A consumer bringing an action notifies the CaAG within 30 days that the action has been filed; and<\/p>\n
(3) The CaAG, upon receiving such notice, shall, within 30 days, do one of the following:<\/p>\n
\u2022 Notify the consumer bringing the action of the CaAG\u2019s intent to prosecute an action against the violation. If the CaAG does not prosecute within six months, the consumer may proceed with the action;<\/p>\n
\u2022 Refrain from acting within the 30 days, allowing the consumer bringing the action to proceed; or<\/p>\n
\u2022 Notify the consumer bringing the action that the consumer shall not proceed with the action.<\/p>\n
Pursuant to the Act, in assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant\u2019s misconduct and the defendant\u2019s assets, liabilities, and net worth. A business\u2019 timely cure, however, will preclude statutory damages.<\/p>\n
As passed, the CCPA has no express duty regarding data security. It is a little confusing given that the CCPA\u2019s limited private right of action is for security breaches of some of the types of data elements that would trigger a notification requirement under CA Civil Code Title 1.81. Section 1798.82, however, uses slightly different language to define what constitutes a security incident. Further, a consumer\u2019s CCPA cause of action is limited to data security failures following a breach, so it is unclear what violation could be noticed or cured. Moreover, even if the duty of security is implied in the CCPA by the private right of action provision, it is not clear how a business could retrospectively cure a past breach, or if all that would be necessary to cure is to prospectively cure the security inadequacies. New SB-1121 proposed to add a sentence to \u00a7<\/strong>1798.150(c) clarifying that the private right of action set forth in \u00a7<\/strong>1798.150(a) only applies to violations of \u00a7<\/strong>1798.150(a), meaning the occurrence of the type of data breach described therein.\u00a0 The 8\/24 Amendment further clarifies this by adding\u201d and shall not be based on violations of any other section of this title.\u201d\u00a0 These are welcome clarifications.\u00a0 However, the proposals do not address the cure issues, nor harmonize Titles 1.81 and 1.81.5, which now have two different and conflicting private rights of action \u2014 one for customers under Title 1.81 and one for consumers under Title 1.81.5.\u00a0 Further, although Section 1798.185(c) provides, \u201cnothing in this act [title] shall be interpreted to serve as the basis for a private right of action under any other law,\u201d it would be helpful to discourage overzealous plaintiff\u2019s attorneys to better explain what we understand to be the intent and add \u201c, and specifically there shall be no private cause of action to recover remedies available under CA Business and Professions Code Section 17200 or other similar consumer protection laws as a result of a violation of this Title.\u201d<\/p>\nThese are but some of the many problems with the CCPA that New SB-1211 and the 8\/24 Amendment have yet to address. See Professor Goldman\u2019s post<\/a> and the ANA Coalition Proposal<\/a> for more. In addition, for a source of ongoing additional information on the CCPA, see this collection<\/a> of articles and resources curated by George Washington University Law School Professor Daniel J. Solove at his CCPA Resource Center.","order":0,"get_parent":{},"attributes":{"content":" $\"\"$ \n\nIn response to controversies concerning consumers\u2019 personal information, such as the Facebook\/Cambridge Analytica controversy, and a California ballot initiative that qualified for the November ballot and proposed the California Consumer Privacy Act (\u201cCCPA Initiative\u201d), the legislature in California responded with AB-375, which proposed an alternative version of the California Consumer Privacy Act of 2018. The authors of AB-375 worked out a compromise with the sponsors of the CCPA Initiative, and AB-375 was passed and signed by Governor Jerry Brown, becoming the California Consumer Privacy Act of 2018, codified at Title 18.1.5 of the California Civil Code (the \u201cCCPA\u201d). We have written about the CCPA here<\/a> and here<\/a>. The CCPA becomes effective January 1, 2020, though practically, businesses will need to start data mapping and recordkeeping on January 1, 2019, to be able to be in compliance upon the effective date. The legislature has already started a process of potentially amending the CCPA through SB-1121, which was originally intended as a different alternative to the CCPA Initiative (\u201cOld SB-1121\u201d). SB-1121 was amended on August 6, 2018, to refine the CCPA (\u201cNew SB-1121\u201d).\u00a0 However, as Santa Clara University School of Law Professor Eric Goldman states in his recent article Recent Developments Regarding the California Consumer Privacy Act<\/em><\/a>, New SB-1121 \u201crepresents less than 1% of the obviously needed changes to the bill.\u201d Professor Goldman\u2019s article does a good job of identifying errors and problems that he has collected through crowdsourcing and of summarizing proposed changes that have been submitted to the bill\u2019s authors by leading industry groups led by the Association of National Advertisers (\u201cANA\u201d)(\u201cANA Coalition Proposal\u201d), as well as from public interest groups, including the Electronic Frontier Foundation (\u201cEFF\u201d). On August 24 New SB-1121 was further amended (\u201c8\/24 Amendment\u201d), adding some additional notable changes such as expanding the carve out of data regulated by federal and state privacy laws for healthcare entities and financial institutions, providing for immediate preemption of local laws, and delaying enforcement of the CCPA by the Attorney General until the earlier of six months from adoption of regulations or July 1, 2020.\u00a0 A copy of the current bill as of August 24 is here<\/a>. Unfortunately, even with the August 24 additions, much remains to be fixed and in this post, we point out issues the legislature should address.\n\n\n\nThe original New SB-1121 would amend the CCPA in the following modest ways:\n
\n \t
A business would not be required to disclose a consumer\u2019s deletion right on its website or in its online privacy policy(ies). Rather, it must provide notice \u201cin a form that is reasonably accessible to consumers.\u201d Thus, a business could provide notice through its privacy policy but is not required to.<\/li>\n \t
Adds a Section (k) to 1798.145, which states that the rights and obligations under the CCPA do not apply if they infringe on a business\u2019 noncommercial speech rights. This is a further attempt to guard against a First Amendment challenge to the law.<\/li>\n \t
Adds a sentence to 1798.150(c) clarifying that the private right of action set forth in \u00a7<\/strong>1798.150(a) only applies to \u201cviolations\u201d that are security incidents as described in CA CIVIL CODE \u00a7<\/strong>1798.150(a). This merely clarifies the provision, presumably to try to address ambiguities from the use of the term \u201cviolations\u201d of the CCPA, which itself has no security duty provisions other than in the remedy provision itself.<\/li>\n \t
Adds that the CCPA will not apply if its application is preempted by or is in conflict with the US Constitution. The CCPA, as passed, already stated that it will not apply if its application is preempted by or is in conflict with federal law or the California Constitution.<\/li>\n \t
Makes various grammatical, technical and clarifying changes to the CCPA. For example, it would change \u201cbusiness\u2019\u201d to \u201cbusiness\u2019s\u201d and \u201copt out\u201d to \u201copt-out.\u201d<\/li>\n<\/ul>\nThe 8\/24 Amendment proposes other material changes, such as:\n
\n \t
Prohibiting application of the Act to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (governing financial institutions) or the CA Financial Information Privacy Act, or protected health information collected by a covered entity or business associate governed by the federal Health Insurance Portability and Accountability Act or medical information governed by the CA Confidentiality of Medical Information Act. This expands existing carve outs.<\/li>\n \t
Further clarifies that the private right of action is limited to the type of data security incident defined in subsection (a) of Section 1798.150 and not any other violations of \u201cany other sections of this title.\u201d<\/li>\n \t
Revises the definition of personal information to clarify that data that falls into the categories of personal information described will only be personal information if \u201cit identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.\u201d In other words, data falling into one of the specified categories is not per se personal information.<\/li>\n \t
Changes the civil penalty provisions available to the Attorney General by (i) making them independent of Section 17206 of the Business and Professions Code; and (ii) providing that penalty for each violation can be up to $7500 regardless of intent (intent currently required to exceed $2500 per violation).<\/li>\n \t
Removes the one year requirement for the Attorney General to establish certain rules and procedures (e.g., opt-out), puts a deadline of July 1, 2020 on the Attorney General to adopt regulations furthering the purpose of the Act, and limits enforcement by the Attorney General until six months thereafter, or July 1, 2020, whichever is sooner.<\/li>\n \t
Makes the preemption of local laws immediate.<\/li>\n<\/ul>\nIn the remainder of this post, we will discuss some of what the legislature should consider addressing as part of SB-1121, or otherwise.\n\nFirst, it is worth noting what was scrapped when amending SB-1121. Old SB-1121 would have amended California\u2019s data breach laws under Title 1.81 of the Civil Code in a manner that would increase consumer remedies when it comes to such breaches and do so beyond what the CCPA provides. For example, under current California data breach law, \u201ccustomers\u201d may bring an action for damages incurred arising out of a business\u2019 violation of data security laws. Old SB-1121 would have expanded the scope of data breach laws to \u201cconsumers,\u201d defined as any natural person, and provided for statutory penalties for data breach and breach notification violations. The CCPA\u2019s new private right of action is more limited, restricting statutory damages to where there is insufficient cure after notice and requiring notice to the Attorney General and the ability for the Attorney General to stop the private action from proceeding. However, neither the CCPA nor SB-1121 changes the existing private right of action under Title 1.81. SB-1121 should be further amended to do away with the private right of action under Title 1.81 and have the new private right of action under Title 1.81.5 be the exclusive private right of action for data security failures. Moreover, Old SB-1121 proposed to expand the coverage of California\u2019s Shine the Light Act beyond California \u201ccustomers\u201d to \u201cconsumers\u201d (i.e., natural persons), with respect to non-compliance with the Shine the Light Act\u2019s transparency and choice requirements regarding sharing of personal information for third-party direct marketing purposes. These provisions were dropped in New SB-1121, but New SB-1121, as revised by the 8\/24 Amendment, does nothing to try to harmonize California\u2019s Shine the Light Act with the much more comprehensive consumer privacy rights of the CCPA. SB-1121 should be further amended to repeal the Shine the Light Act all together.\u00a0 Otherwise, covered businesses will struggle with two different but overlapping California transparency and choice regimes \u2014 including the need to post homepage links on their web sites to both a \u201cYour California Privacy Rights<\/u>\u201d link to a Shine the Light Act rights notice and a \u201cDo Not Sell My Personal Information<\/u>\u201d link to the CCPA opt-out.\n\nLobbyists for both industry and consumer groups are pushing for a variety of changes.\u00a0\u00a0 However, it is unlikely that SB-1121 will be used to substantially water down the CCPA, as the 8\/24 Amendment reflects.\u00a0 The legislative history of both AB-375 and SB-1121 indicates that the ballot initiative sponsors have promised to revive the initiative if that is done. Rather, expect SB-1121 to refine the law, fix conflicts and unintended consequences and possibly better harmonize it with other California data privacy and security laws, such as Shine the Light (regulating sharing of personal information for third-party marketing), Cal. OPPA (regulating online privacy and privacy policies) and data security and breach notification laws. A delay in enforcement proposed by the 8\/24 Amendment seems possible, especially since it is prudent to provide time for regulations to be promulgated and taken into account by businesses.\u00a0 The EFF and other groups are pushing not to water down, but to further expand, consumer rights under the CCPA. For instance, the EFF\u2019s proposals<\/a> include expanding the private right of action to any breach of the CCPA\u2019s obligations, including privacy transparency and choice requirements. The legislative history of the CCPA and reports<\/a> of what went on behind the scenes to reach the compromise indicate that a very narrow private right of action was a key issue for industry, and AB 375\u2019s authors accepted that as fundamental to the compromise.\u00a0 However, as noted below, that intent could be better clarified and it appears from the 8\/24 Amendment that there is interest by the legislature in doing so.\n\nIn addition to harmonizing Title 1.81 and new Title 1.81.5 to repeal the Shine the Light Act and Title 1.81\u2019s private rights of action, as already discussed, a few of the things we would like the California legislature to consider include:\n
\n \t
The ANA Coalition proposal<\/a>, in particular regarding the definition of personal information, deidentified and aggregate data, data portability, detailing specific pieces of personal information on a customer-specific basis, allowing less than an all-or-nothing opt-out of sales, clarifications on incentive and loyalty programs, better cleaning up of conflicts with existing federal laws (which is addressed in the 8\/24 Amendment) and regarding interest-based advertising.<\/li>\n \t
Businesses must list the categories of personal information disclosed for a business purpose in the preceding 12 months (or if the business has not disclosed consumers\u2019 personal information for a business purpose in the preceding 12 months, the business must state that). However, there is no obligation to include a list of categories of personal information disclosed for a commercial purpose in the preceding 12 months. This distinction between the underlying purposes does not apply with respect to categories of personal information collected, just disclosed. Was this intentional or a drafting error?<\/li>\n \t
The CCPA is internally inconsistent as to whether or not the online notice needs to include the categories of sources from which personal information is collected, the categories of third parties with which personal information is disclosed and the specific pieces of personal information collected about a specific consumer. This should be clarified. Obviously, the last could not be done in a general notice.<\/li>\n \t
The CCPA permits transfers to a third party the of personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with 1798.110 and \u00a71798.115. If the recipient in such a transaction materially alters how it uses or shares the PI of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it needs to provide prior notice of the new or changed practice to the consumer. However, \u00a7<\/strong> 1798.110 and \u00a7<\/strong> 1798.115 are the sections that set forth notice and disclosure requirements of consumer rights under the CCPA regarding businesses that collect personal information, sell personal information or disclose personal information for a business purpose. Presumably, the intent is that the data continue to be used and shared as described in the privacy policy or notice that included those CCPA rights disclosures. However, that is not what the Act explicitly states.<\/li>\n \t
The definition of business includes, \u201c[a]ny entity that controls or is controlled by a business, as defined in subparagraph (1), and that shares Common Branding [\u201cshared name, servicemark, or trademark\u201d] with the business.\u201d As such, the CCPA essentially requires all of the members of a similarly branded family of companies that have an entity that meets the definition of business to also be treated as a covered business.\u00a0It is not clear if the intent is that the commonly branded entities must or can be treated as a single business under the CCPA.<\/li>\n \t
The CCPA will regulate \u201cpersonal information,\u201d broadly defined as \u201cinformation that identifies, relates to, describes, is capable of being associated with<\/em><\/strong> or could reasonably be linked, directly or indirectly<\/em> with a particular consumer or household<\/em>.\u201d This includes information collected both online and offline. It is hard to imagine what data about a person is not capable of being associated with<\/em> a particular consumer or household. For instance, demographic data alone (e.g., gender, profession, race) is capable of being associated with a person, but alone, it will not reasonably enable their identification or be reasonably linked to a specific person. Compare this to the definition of personal information under Title 1.81 of the California Civil Code, which includes California\u2019s customer records security and breach laws, and the Shine the Light Act\u2019s marketing transparency and choice requirements. In that title, there is a top-level definition of personal information that includes \u201cany information \u2026 capable of being associated with a particular individual\u201d to which the duty of reasonable security under the circumstances applies, but more narrow definitions are used regarding a customer\u2019s rights regarding sharing for third-party marketing purposes (\u201cany information that when it was disclosed<\/u> identified, described or was able to be associated with<\/em> an individual\u2026.)\u201d and regarding the type of data that will trigger a breach notification obligation (first initial or name and last name plus an account number or ID number and password). While a broad definition arguably has utility with respect to providing notice of what data is collected, when applied to what data is disclosed or sold, and even more so as applied to opt-out, portability and deletion rights, it is likely practically unworkable. This problem is made worse by the CCPA\u2019s ambiguities regarding deidentified data and aggregate consumer information, discussed below. The 8\/24 Amendment\u2019s revision of the definition of personal information does not reach this issue.<\/li>\n \t
The definition of PI under the CCPA does not include publicly available information. \u201cPublicly available\u201d is defined as \u201cinformation that is lawfully made available from federal, state or local government records, if any conditions associated with such information<\/em>.\u201d The italicized language seems to be a typo or an incomplete thought. Further, under the Act, information is not \u201cpublicly available\u201d if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. Practically, this likely precludes many, if not most, uses by a business, given that their uses will rarely be the same as the government\u2019s purpose, at least with respect to most commercial purposes. Also included in the provision regarding what is not personal information is deidentified data and aggregate consumer information, suggesting that these types of data are intended to be excluded from the definition of personal information, but this is unclear as the law is currently worded. The CCPA states \u201c\u2018Publicly Available\u2019 does not include consumer information that is Deidentified or aggregate consumer information.\u201d The intent is likely to have used \u201cPersonal Information\u201d rather than \u201cPublicly Available,\u201d given the context. However, Section 1798.145(a)(5) provides that \u201c[t]he obligations imposed on businesses by this title shall not restrict a business\u2019s ability to \u2026 collect, use, retain, sell or disclose consumer information that is deidentified or in the aggregate consumer information.\u201d This would seem sufficient to remove deidentified and aggregate consumer information from the data applicable to deletion and \u201cdo not sell\u201d rights. Practically, portability rights would also not apply, especially since the CCPA provides that there is no obligation to re-identify deidentified data \u201cnot maintained in a manner that would be considered personal information.\u201d However, the other obligations regarding personal information would seem to apply unless the definition of personal information is not clarified to exclude deidentified and aggregate consumer information. Also, the definition of deidentified suffers from the same problem as the definition of personal information \u2014 data \u201ccapable of being associated with \u2026 a particular consumer,\u201d which could be cured by taking a narrower view of personal information as already suggested.<\/li>\n \t
Another ambiguity regarding what is and is not personal information has to do with device identifiers. The definition of personal information is tied to a \u201cparticular consumer or household,\u201d and \u201cdevice\u201d is not included in the definition. However, it is used for purposes of counting \u201cthe personal information of 50,000 or more consumers, households or devices\u201d for reaching the threshold of being a covered business. Further, the examples of personal information, which are also the categories that personal information is to be grouped in for reporting purposes, include Unique IDs and Probabilistic IDs, both of which are said to be tied to a device, and the definition of aggregate consumer information excludes information that is linkable to a device. Accordingly, are browser IDs, cookie IDs, AD IDs and other unique identifiers used to identify a device, or a pseudonymous user, personal information or deidentified? This is particularly relevant given the personal information deletion right. Under a broad interpretation of the Act, such a deletion request could potentially require the deletion of cookies, other device IDs, other unique identifiers and related usage data for many of the purposes for which a business would typically use them that are not included in the exceptions of the deletion requirement. Again, this could be fixed by a much narrower definition of personal information, at least for purposes other than notice of collection.<\/li>\n \t
The CCPA requires a business that collects a consumer\u2019s personal information to, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used. A business cannot collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with such notice. No guidance is given on whether disclosure in a publicly posted privacy policy is sufficient notice. This is particularly relevant when the collection takes place in a context remote from where the privacy policy is posted. For instance, collection includes buying, renting, obtaining or receiving personal information indirectly or passively and\/or from a third party. Other than in a publicly posted privacy policy, how could a business make the required disclosures prior to a third-party transfer where the business has no touchpoint with the data subject? While the recipient business could contractually require the disclosing business to provide the notice prior to its collection, that would not seem to meet the technical requirements of the statute.<\/li>\n \t
Under the CCPA, \u201csell,\u201d \u201cselling,\u201d \u201csale\u201d and \u201csold\u201d are defined as \u201cselling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating a consumer\u2019s personal information to another business or a third party for monetary or valuable consideration.\u201d However, a business does not \u201csell\u201d personal information under the CCPA when a consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of the Act. If the third party that a consumer directs a business to share personal information with is not committing to the business and\/or to the consumer to not sell the personal information, then it appears that this would still be a sale, assuming there is some kind of valuable consideration to the business. This would mean that upon a no-sale request, a business would have to deactivate this kind of sharing. This could arguably present a problem for things like social media plug-ins, where the business implementing the plug-in on its site is arguably obtaining the value of the use of the plug-in (e.g., registering likes of the business or sharing messages about the business). This could be addressed by requiring monetary consideration to rise to the level of sale and\/or providing for other than an all-or-nothing opt-out requirement.<\/li>\n \t
Under the CCPA, consumers have the right to equal service and price, meaning that a business cannot discriminate against a consumer because the consumer exercised any of their rights under the CCPA, subject to certain exceptions. For instance, a business can charge a consumer a different price or rate, or provide a different level or quality of goods or services if the difference in price, rate or quality is \u201creasonably related to the value provided to the Consumer [sic?] by the Consumer\u2019s data.\u201d Presumably, the first use of the word \u201cConsumer\u201d is a typo and intended to be \u201cBusiness.\u201d It would make more sense if this read \u201cvalue provided to the Business by the Consumer\u2019s data.\u201d It will be difficult enough to quantify the value to the business, but seemingly impossible to determine what the value would be to a particular consumer of his own data. The value to a business could arguably be determined by looking at the market for similar data and the cost of acquisition elsewhere, etc., but the value to a consumer seems entirely subjective and not capable of a market-driven appraisal.<\/li>\n \t
As already noted, there is a narrow private right of action under the CCPA, but it is not applicable to violations of the CCPA. Rather, \u201c[a]ny Consumer whose nonencrypted or nonredacted PI, as defined in Section 1798.81.5(d)(1)(A), is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business\u2019 violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute\u201d a private right of action for any of the following: (a) damages not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater, (b) injunctive or declaratory relief and (c) any other relief the court deems proper, IF<\/u> all the following requirements are met:<\/li>\n<\/ul>\n
(1) Before initiating any action on an individual or class-wide basis, the consumer provides the business 30 days\u2019 written notice identifying the specific provisions of the CCPA that the consumer alleges have been or are being violated, and a 30-day opportunity to cure;<\/p>\n
(2) A consumer bringing an action notifies the CaAG within 30 days that the action has been filed; and<\/p>\n
(3) The CaAG, upon receiving such notice, shall, within 30 days, do one of the following:<\/p>\n
\u2022 Notify the consumer bringing the action of the CaAG\u2019s intent to prosecute an action against the violation. If the CaAG does not prosecute within six months, the consumer may proceed with the action;<\/p>\n
\u2022 Refrain from acting within the 30 days, allowing the consumer bringing the action to proceed; or<\/p>\n
\u2022 Notify the consumer bringing the action that the consumer shall not proceed with the action.<\/p>\n
Pursuant to the Act, in assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant\u2019s misconduct and the defendant\u2019s assets, liabilities, and net worth. A business\u2019 timely cure, however, will preclude statutory damages.<\/p>\n
As passed, the CCPA has no express duty regarding data security. It is a little confusing given that the CCPA\u2019s limited private right of action is for security breaches of some of the types of data elements that would trigger a notification requirement under CA Civil Code Title 1.81. Section 1798.82, however, uses slightly different language to define what constitutes a security incident. Further, a consumer\u2019s CCPA cause of action is limited to data security failures following a breach, so it is unclear what violation could be noticed or cured. Moreover, even if the duty of security is implied in the CCPA by the private right of action provision, it is not clear how a business could retrospectively cure a past breach, or if all that would be necessary to cure is to prospectively cure the security inadequacies. New SB-1121 proposed to add a sentence to \u00a7<\/strong>1798.150(c) clarifying that the private right of action set forth in \u00a7<\/strong>1798.150(a) only applies to violations of \u00a7<\/strong>1798.150(a), meaning the occurrence of the type of data breach described therein.\u00a0 The 8\/24 Amendment further clarifies this by adding\u201d and shall not be based on violations of any other section of this title.\u201d\u00a0 These are welcome clarifications.\u00a0 However, the proposals do not address the cure issues, nor harmonize Titles 1.81 and 1.81.5, which now have two different and conflicting private rights of action \u2014 one for customers under Title 1.81 and one for consumers under Title 1.81.5.\u00a0 Further, although Section 1798.185(c) provides, \u201cnothing in this act [title] shall be interpreted to serve as the basis for a private right of action under any other law,\u201d it would be helpful to discourage overzealous plaintiff\u2019s attorneys to better explain what we understand to be the intent and add \u201c, and specifically there shall be no private cause of action to recover remedies available under CA Business and Professions Code Section 17200 or other similar consumer protection laws as a result of a violation of this Title.\u201d<\/p>\nThese are but some of the many problems with the CCPA that New SB-1211 and the 8\/24 Amendment have yet to address. See Professor Goldman\u2019s post<\/a> and the ANA Coalition Proposal<\/a> for more. In addition, for a source of ongoing additional information on the CCPA, see this collection<\/a> of articles and resources curated by George Washington University Law School Professor Daniel J. Solove at his CCPA Resource Center."},"attributesType":{"content":{"type":"string","source":"html"},"lock":{"type":"object"}},"dynamicContent":null}]

SB-1121 Does Not Fix the CA Consumer Privacy Act, But Would Delay Enforcement