In response to controversies concerning consumers’ personal information, such as the Facebook/Cambridge Analytica controversy, and a California ballot initiative that qualified for the November ballot and proposed the California Consumer Privacy Act (“CCPA Initiative”), the legislature in California responded with AB-375, which proposed an alternative version of the California Consumer Privacy Act of 2018. The authors of AB-375 worked out a compromise with the sponsors of the CCPA Initiative, and AB-375 was passed and signed by Governor Jerry Brown, becoming the California Consumer Privacy Act of 2018, codified at Title 18.1.5 of the California Civil Code (the “CCPA”). We have written about the CCPA here and here. The CCPA becomes effective January 1, 2020, though practically, businesses will need to start data mapping and recordkeeping on January 1, 2019, to be able to be in compliance upon the effective date. The legislature has already started a process of potentially amending the CCPA through SB-1121, which was originally intended as a different alternative to the CCPA Initiative (“Old SB-1121”). SB-1121 was amended on August 6, 2018, to refine the CCPA (“New SB-1121”).  However, as Santa Clara University School of Law Professor Eric Goldman states in his recent article Recent Developments Regarding the California Consumer Privacy Act, New SB-1121 “represents less than 1% of the obviously needed changes to the bill.” Professor Goldman’s article does a good job of identifying errors and problems that he has collected through crowdsourcing and of summarizing proposed changes that have been submitted to the bill’s authors by leading industry groups led by the Association of National Advertisers (“ANA”)(“ANA Coalition Proposal”), as well as from public interest groups, including the Electronic Frontier Foundation (“EFF”). On August 24 New SB-1121 was further amended (“8/24 Amendment”), adding some additional notable changes such as expanding the carve out of data regulated by federal and state privacy laws for healthcare entities and financial institutions, providing for immediate preemption of local laws, and delaying enforcement of the CCPA by the Attorney General until the earlier of six months from adoption of regulations or July 1, 2020.  A copy of the current bill as of August 24 is here. Unfortunately, even with the August 24 additions, much remains to be fixed and in this post, we point out issues the legislature should address.

The original New SB-1121 would amend the CCPA in the following modest ways:

  • A business would not be required to disclose a consumer’s deletion right on its website or in its online privacy policy(ies). Rather, it must provide notice “in a form that is reasonably accessible to consumers.” Thus, a business could provide notice through its privacy policy but is not required to.
  • Adds a Section (k) to 1798.145, which states that the rights and obligations under the CCPA do not apply if they infringe on a business’ noncommercial speech rights. This is a further attempt to guard against a First Amendment challenge to the law.
  • Adds a sentence to 1798.150(c) clarifying that the private right of action set forth in §1798.150(a) only applies to “violations” that are security incidents as described in CA CIVIL CODE §1798.150(a). This merely clarifies the provision, presumably to try to address ambiguities from the use of the term “violations” of the CCPA, which itself has no security duty provisions other than in the remedy provision itself.
  • Adds that the CCPA will not apply if its application is preempted by or is in conflict with the US Constitution. The CCPA, as passed, already stated that it will not apply if its application is preempted by or is in conflict with federal law or the California Constitution.
  • Makes various grammatical, technical and clarifying changes to the CCPA. For example, it would change “business’” to “business’s” and “opt out” to “opt-out.”

The 8/24 Amendment proposes other material changes, such as:

  • Prohibiting application of the Act to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (governing financial institutions) or the CA Financial Information Privacy Act, or protected health information collected by a covered entity or business associate governed by the federal Health Insurance Portability and Accountability Act or medical information governed by the CA Confidentiality of Medical Information Act. This expands existing carve outs.
  • Further clarifies that the private right of action is limited to the type of data security incident defined in subsection (a) of Section 1798.150 and not any other violations of “any other sections of this title.”
  • Revises the definition of personal information to clarify that data that falls into the categories of personal information described will only be personal information if “it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” In other words, data falling into one of the specified categories is not per se personal information.
  • Changes the civil penalty provisions available to the Attorney General by (i) making them independent of Section 17206 of the Business and Professions Code; and (ii) providing that penalty for each violation can be up to $7500 regardless of intent (intent currently required to exceed $2500 per violation).
  • Removes the one year requirement for the Attorney General to establish certain rules and procedures (e.g., opt-out), puts a deadline of July 1, 2020 on the Attorney General to adopt regulations furthering the purpose of the Act, and limits enforcement by the Attorney General until six months thereafter, or July 1, 2020, whichever is sooner.
  • Makes the preemption of local laws immediate.

In the remainder of this post, we will discuss some of what the legislature should consider addressing as part of SB-1121, or otherwise.

First, it is worth noting what was scrapped when amending SB-1121. Old SB-1121 would have amended California’s data breach laws under Title 1.81 of the Civil Code in a manner that would increase consumer remedies when it comes to such breaches and do so beyond what the CCPA provides. For example, under current California data breach law, “customers” may bring an action for damages incurred arising out of a business’ violation of data security laws. Old SB-1121 would have expanded the scope of data breach laws to “consumers,” defined as any natural person, and provided for statutory penalties for data breach and breach notification violations. The CCPA’s new private right of action is more limited, restricting statutory damages to where there is insufficient cure after notice and requiring notice to the Attorney General and the ability for the Attorney General to stop the private action from proceeding. However, neither the CCPA nor SB-1121 changes the existing private right of action under Title 1.81. SB-1121 should be further amended to do away with the private right of action under Title 1.81 and have the new private right of action under Title 1.81.5 be the exclusive private right of action for data security failures. Moreover, Old SB-1121 proposed to expand the coverage of California’s Shine the Light Act beyond California “customers” to “consumers” (i.e., natural persons), with respect to non-compliance with the Shine the Light Act’s transparency and choice requirements regarding sharing of personal information for third-party direct marketing purposes. These provisions were dropped in New SB-1121, but New SB-1121, as revised by the 8/24 Amendment, does nothing to try to harmonize California’s Shine the Light Act with the much more comprehensive consumer privacy rights of the CCPA. SB-1121 should be further amended to repeal the Shine the Light Act all together.  Otherwise, covered businesses will struggle with two different but overlapping California transparency and choice regimes — including the need to post homepage links on their web sites to both a “Your California Privacy Rights” link to a Shine the Light Act rights notice and a “Do Not Sell My Personal Information” link to the CCPA opt-out.

Lobbyists for both industry and consumer groups are pushing for a variety of changes.   However, it is unlikely that SB-1121 will be used to substantially water down the CCPA, as the 8/24 Amendment reflects.  The legislative history of both AB-375 and SB-1121 indicates that the ballot initiative sponsors have promised to revive the initiative if that is done. Rather, expect SB-1121 to refine the law, fix conflicts and unintended consequences and possibly better harmonize it with other California data privacy and security laws, such as Shine the Light (regulating sharing of personal information for third-party marketing), Cal. OPPA (regulating online privacy and privacy policies) and data security and breach notification laws. A delay in enforcement proposed by the 8/24 Amendment seems possible, especially since it is prudent to provide time for regulations to be promulgated and taken into account by businesses.  The EFF and other groups are pushing not to water down, but to further expand, consumer rights under the CCPA. For instance, the EFF’s proposals include expanding the private right of action to any breach of the CCPA’s obligations, including privacy transparency and choice requirements. The legislative history of the CCPA and reports of what went on behind the scenes to reach the compromise indicate that a very narrow private right of action was a key issue for industry, and AB 375’s authors accepted that as fundamental to the compromise.  However, as noted below, that intent could be better clarified and it appears from the 8/24 Amendment that there is interest by the legislature in doing so.

In addition to harmonizing Title 1.81 and new Title 1.81.5 to repeal the Shine the Light Act and Title 1.81’s private rights of action, as already discussed, a few of the things we would like the California legislature to consider include:

  • The ANA Coalition proposal, in particular regarding the definition of personal information, deidentified and aggregate data, data portability, detailing specific pieces of personal information on a customer-specific basis, allowing less than an all-or-nothing opt-out of sales, clarifications on incentive and loyalty programs, better cleaning up of conflicts with existing federal laws (which is addressed in the 8/24 Amendment) and regarding interest-based advertising.
  • Businesses must list the categories of personal information disclosed for a business purpose in the preceding 12 months (or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business must state that). However, there is no obligation to include a list of categories of personal information disclosed for a commercial purpose in the preceding 12 months. This distinction between the underlying purposes does not apply with respect to categories of personal information collected, just disclosed. Was this intentional or a drafting error?
  • The CCPA is internally inconsistent as to whether or not the online notice needs to include the categories of sources from which personal information is collected, the categories of third parties with which personal information is disclosed and the specific pieces of personal information collected about a specific consumer. This should be clarified. Obviously, the last could not be done in a general notice.
  • The CCPA permits transfers to a third party the of personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with 1798.110 and §1798.115. If the recipient in such a transaction materially alters how it uses or shares the PI of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it needs to provide prior notice of the new or changed practice to the consumer. However, § 1798.110 and § 1798.115 are the sections that set forth notice and disclosure requirements of consumer rights under the CCPA regarding businesses that collect personal information, sell personal information or disclose personal information for a business purpose. Presumably, the intent is that the data continue to be used and shared as described in the privacy policy or notice that included those CCPA rights disclosures. However, that is not what the Act explicitly states.
  • The definition of business includes, “[a]ny entity that controls or is controlled by a business, as defined in subparagraph (1), and that shares Common Branding [“shared name, servicemark, or trademark”] with the business.” As such, the CCPA essentially requires all of the members of a similarly branded family of companies that have an entity that meets the definition of business to also be treated as a covered business. It is not clear if the intent is that the commonly branded entities must or can be treated as a single business under the CCPA.
  • The CCPA will regulate “personal information,” broadly defined as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly with a particular consumer or household.” This includes information collected both online and offline. It is hard to imagine what data about a person is not capable of being associated with a particular consumer or household. For instance, demographic data alone (e.g., gender, profession, race) is capable of being associated with a person, but alone, it will not reasonably enable their identification or be reasonably linked to a specific person. Compare this to the definition of personal information under Title 1.81 of the California Civil Code, which includes California’s customer records security and breach laws, and the Shine the Light Act’s marketing transparency and choice requirements. In that title, there is a top-level definition of personal information that includes “any information … capable of being associated with a particular individual” to which the duty of reasonable security under the circumstances applies, but more narrow definitions are used regarding a customer’s rights regarding sharing for third-party marketing purposes (“any information that when it was disclosed identified, described or was able to be associated with an individual….)” and regarding the type of data that will trigger a breach notification obligation (first initial or name and last name plus an account number or ID number and password). While a broad definition arguably has utility with respect to providing notice of what data is collected, when applied to what data is disclosed or sold, and even more so as applied to opt-out, portability and deletion rights, it is likely practically unworkable. This problem is made worse by the CCPA’s ambiguities regarding deidentified data and aggregate consumer information, discussed below. The 8/24 Amendment’s revision of the definition of personal information does not reach this issue.
  • The definition of PI under the CCPA does not include publicly available information. “Publicly available” is defined as “information that is lawfully made available from federal, state or local government records, if any conditions associated with such information.” The italicized language seems to be a typo or an incomplete thought. Further, under the Act, information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. Practically, this likely precludes many, if not most, uses by a business, given that their uses will rarely be the same as the government’s purpose, at least with respect to most commercial purposes. Also included in the provision regarding what is not personal information is deidentified data and aggregate consumer information, suggesting that these types of data are intended to be excluded from the definition of personal information, but this is unclear as the law is currently worded. The CCPA states “‘Publicly Available’ does not include consumer information that is Deidentified or aggregate consumer information.” The intent is likely to have used “Personal Information” rather than “Publicly Available,” given the context. However, Section 1798.145(a)(5) provides that “[t]he obligations imposed on businesses by this title shall not restrict a business’s ability to … collect, use, retain, sell or disclose consumer information that is deidentified or in the aggregate consumer information.” This would seem sufficient to remove deidentified and aggregate consumer information from the data applicable to deletion and “do not sell” rights. Practically, portability rights would also not apply, especially since the CCPA provides that there is no obligation to re-identify deidentified data “not maintained in a manner that would be considered personal information.” However, the other obligations regarding personal information would seem to apply unless the definition of personal information is not clarified to exclude deidentified and aggregate consumer information. Also, the definition of deidentified suffers from the same problem as the definition of personal information — data “capable of being associated with … a particular consumer,” which could be cured by taking a narrower view of personal information as already suggested.
  • Another ambiguity regarding what is and is not personal information has to do with device identifiers. The definition of personal information is tied to a “particular consumer or household,” and “device” is not included in the definition. However, it is used for purposes of counting “the personal information of 50,000 or more consumers, households or devices” for reaching the threshold of being a covered business. Further, the examples of personal information, which are also the categories that personal information is to be grouped in for reporting purposes, include Unique IDs and Probabilistic IDs, both of which are said to be tied to a device, and the definition of aggregate consumer information excludes information that is linkable to a device. Accordingly, are browser IDs, cookie IDs, AD IDs and other unique identifiers used to identify a device, or a pseudonymous user, personal information or deidentified? This is particularly relevant given the personal information deletion right. Under a broad interpretation of the Act, such a deletion request could potentially require the deletion of cookies, other device IDs, other unique identifiers and related usage data for many of the purposes for which a business would typically use them that are not included in the exceptions of the deletion requirement. Again, this could be fixed by a much narrower definition of personal information, at least for purposes other than notice of collection.
  • The CCPA requires a business that collects a consumer’s personal information to, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used. A business cannot collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with such notice. No guidance is given on whether disclosure in a publicly posted privacy policy is sufficient notice. This is particularly relevant when the collection takes place in a context remote from where the privacy policy is posted. For instance, collection includes buying, renting, obtaining or receiving personal information indirectly or passively and/or from a third party. Other than in a publicly posted privacy policy, how could a business make the required disclosures prior to a third-party transfer where the business has no touchpoint with the data subject? While the recipient business could contractually require the disclosing business to provide the notice prior to its collection, that would not seem to meet the technical requirements of the statute.
  • Under the CCPA, “sell,” “selling,” “sale” and “sold” are defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating a consumer’s personal information to another business or a third party for monetary or valuable consideration.” However, a business does not “sell” personal information under the CCPA when a consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of the Act. If the third party that a consumer directs a business to share personal information with is not committing to the business and/or to the consumer to not sell the personal information, then it appears that this would still be a sale, assuming there is some kind of valuable consideration to the business. This would mean that upon a no-sale request, a business would have to deactivate this kind of sharing. This could arguably present a problem for things like social media plug-ins, where the business implementing the plug-in on its site is arguably obtaining the value of the use of the plug-in (e.g., registering likes of the business or sharing messages about the business). This could be addressed by requiring monetary consideration to rise to the level of sale and/or providing for other than an all-or-nothing opt-out requirement.
  • Under the CCPA, consumers have the right to equal service and price, meaning that a business cannot discriminate against a consumer because the consumer exercised any of their rights under the CCPA, subject to certain exceptions. For instance, a business can charge a consumer a different price or rate, or provide a different level or quality of goods or services if the difference in price, rate or quality is “reasonably related to the value provided to the Consumer [sic?] by the Consumer’s data.” Presumably, the first use of the word “Consumer” is a typo and intended to be “Business.” It would make more sense if this read “value provided to the Business by the Consumer’s data.” It will be difficult enough to quantify the value to the business, but seemingly impossible to determine what the value would be to a particular consumer of his own data. The value to a business could arguably be determined by looking at the market for similar data and the cost of acquisition elsewhere, etc., but the value to a consumer seems entirely subjective and not capable of a market-driven appraisal.
  • As already noted, there is a narrow private right of action under the CCPA, but it is not applicable to violations of the CCPA. Rather, “[a]ny Consumer whose nonencrypted or nonredacted PI, as defined in Section 1798.81.5(d)(1)(A), is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute” a private right of action for any of the following: (a) damages not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater, (b) injunctive or declaratory relief and (c) any other relief the court deems proper, IF all the following requirements are met:

(1) Before initiating any action on an individual or class-wide basis, the consumer provides the business 30 days’ written notice identifying the specific provisions of the CCPA that the consumer alleges have been or are being violated, and a 30-day opportunity to cure;

(2) A consumer bringing an action notifies the CaAG within 30 days that the action has been filed; and

(3) The CaAG, upon receiving such notice, shall, within 30 days, do one of the following:

• Notify the consumer bringing the action of the CaAG’s intent to prosecute an action against the violation. If the CaAG does not prosecute within six months, the consumer may proceed with the action;

• Refrain from acting within the 30 days, allowing the consumer bringing the action to proceed; or

• Notify the consumer bringing the action that the consumer shall not proceed with the action.

Pursuant to the Act, in assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct and the defendant’s assets, liabilities, and net worth. A business’ timely cure, however, will preclude statutory damages.

As passed, the CCPA has no express duty regarding data security. It is a little confusing given that the CCPA’s limited private right of action is for security breaches of some of the types of data elements that would trigger a notification requirement under CA Civil Code Title 1.81. Section 1798.82, however, uses slightly different language to define what constitutes a security incident. Further, a consumer’s CCPA cause of action is limited to data security failures following a breach, so it is unclear what violation could be noticed or cured. Moreover, even if the duty of security is implied in the CCPA by the private right of action provision, it is not clear how a business could retrospectively cure a past breach, or if all that would be necessary to cure is to prospectively cure the security inadequacies. New SB-1121 proposed to add a sentence to §1798.150(c) clarifying that the private right of action set forth in §1798.150(a) only applies to violations of §1798.150(a), meaning the occurrence of the type of data breach described therein.  The 8/24 Amendment further clarifies this by adding” and shall not be based on violations of any other section of this title.”  These are welcome clarifications.  However, the proposals do not address the cure issues, nor harmonize Titles 1.81 and 1.81.5, which now have two different and conflicting private rights of action — one for customers under Title 1.81 and one for consumers under Title 1.81.5.  Further, although Section 1798.185(c) provides, “nothing in this act [title] shall be interpreted to serve as the basis for a private right of action under any other law,” it would be helpful to discourage overzealous plaintiff’s attorneys to better explain what we understand to be the intent and add “, and specifically there shall be no private cause of action to recover remedies available under CA Business and Professions Code Section 17200 or other similar consumer protection laws as a result of a violation of this Title.”

These are but some of the many problems with the CCPA that New SB-1211 and the 8/24 Amendment have yet to address. See Professor Goldman’s post and the ANA Coalition Proposal for more. In addition, for a source of ongoing additional information on the CCPA, see this collection of articles and resources curated by George Washington University Law School Professor Daniel J. Solove at his CCPA Resource Center.