Possible Defects In California’s New Privacy Law
By: Peter J. Pizzi
The June 2018 California Consumer Privacy Act, which becomes effective in 2020, merits attention given the size and scope of the California economy and the pattern by which that state has served as a bellwether for all things digital. After all, California was early in passing a breach notification statute. Now, all 50 states have followed suit, leading to the current regulatory zoo that persists in the absence of an overarching federal breach notification statute. After an introduction to the California law, this article will focus on the constitutional challenges and other problems presented by the CCPA.
The CCPA marks the first attempt of any U.S. state to endow residents with strong rights regarding the collection and use of their data. With only a loose definition of “personal data” provided by this statute, businesses are on the hook for “any information that identifies, relates to, describes, is capable of being associated with, or could reasonable be linked, directly or indirectly with a particular consumer or household,” and the statute clarifies that this definition, though broad, does not encompass any data publicly available. Some of the more interesting or relevant examples of personal data in accordance with CCPA include:
- Identifiers, such as name, Social Security number, account name, physical address, email address, or internet protocol address.
- Biometric information.
- Internet activity, such as browsing history, search history, or a consumer’s past interaction with a website.
- Geolocation information.
Further, any data regarding preferences, abilities, psychological trends, or attitudes deduced by any of these (or other related) means or their intersections is also protected and falls under the sweeping definition of “personal data.” The CCPA furnishes residents with a data collection opt-out privilege, meaning that California consumers will have the right to demand the cessation of collection and sale of personal data. To facilitate this privilege, compliant websites must feature a conspicuous and prominent link titled “Do Not Sell My Personal Information.” Minors, defined as those under 16, default to this opt-out setting and must request to opt-in to any data collection or sales. Data collection opt-out serves as the main thrust of the legislation, but other important highlights include:
- Disclosure of Use: Businesses are obligated to provide upon consumer request the personal information, categories, intended purpose(s) of collected personal information, and categories of third parties with access.
- Deletion Privilege: Upon request, a business must delete a California consumer’s personal information.
- Role of Attorney General: The attorney general will enforce the act and its provisions and has rule-making authority. In fact, the AG shares authority with private litigants but has the right to veto consumer litigation.
- Private Right of Action: Before the CCPA, in the event of a breach, consumers whose data has been exposed typically file claims under common law and state consumer protection statutes. However, with the passage of the CCPA comes a (vague) cause of action for data breach casualties. In the case of “exfiltration, theft, or disclosure” of personal information due to a business’ “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information,” the CCPA enables class actions that provide for $100-$750 per victim in damages.
Even though the statute does not seek blanket application to every California business and acknowledges such limited scope, applicability thresholds are low enough that many businesses will be impacted. If a business (1) exceeds $25 million in annual revenue, (2) derives at least half of its revenues from selling consumer data, or (3) “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices,” CCPA strictures will apply. This third clause will trigger mandatory CCPA compliance for many businesses, including gas stations, relatively small websites using Google AdSense, manufacturers, health clubs and restaurants that average more than 140 unique customers per day. The CCPA goes into effect January 2020, giving these and other businesses a mere 18 months to adopt compliance procedures and action plans.
The constitutionality of the CCPA remains murky. Although the statute is rife with kinks to be sorted out and budding problems, none looms bigger than the First Amendment infirmities that lurk within its provisions. Back in 2011, the U.S. Supreme Court ruled in Sorrell v. IMS Health Inc. that the Vermont law requiring “content- and speaker-based restrictions on the sale, disclosure, and use of prescriber-identifying information” violated the First Amendment, despite Vermont’s stated public health intentions. The court opined, “the State cannot engage in content-based discrimination to advance its own side of a debate.” According to the Sorrell rationale, the CCPA’s mandatory disclosure requirement may infringe on commercial free speech precisely because it is so broadly applicable. The court in Sorrell distinguished the Health Insurance Portability and Accountability Act of 1996 because its compelled disclosures are narrowly crafted.
Not only does the CCPA raise freedom of speech concerns, but the act also potentially conflicts with the commerce clause. This clause imparts Congress with the power “to regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes.” Since Chief Justice John Marshall considered the dormancy inherent in the commerce clause in Gibbons v. Ogden (1824), courts have long inferred from this statement the “dormant” commerce clause, which provides that state laws should not discriminate against or unduly burden interstate commerce. A compelling argument can be made in favor of a conflict between the CCPA and the dormant commerce clause, regardless of the actions of
Consider the hypothetical options: either (1) at least one other state enacts a data protection law which is not identical to the CCPA, or (2) no other state follows suit. Fleshing out this hypothetical scenario, if (1) holds, then any business processing consumer data in these two or more states must establish different compliance procedures for each state. Since data privacy laws mandate the ways consumer data can be collected, held and sold, businesses must ensure unceasing compliance to each state law. Unlike data breach laws that vary by state, which regulate the procedures and actions necessary in the event of a breach, data collection and privacy laws demand substantial commitments to specific infrastructure and operations. Thus, different state laws potentially mandating different data collection practices (or even practices that are at odds with each other) may pass the (admittedly) high bar sufficient to trigger dormant commerce clause concerns, since businesses could argue that such laws unduly burden participation in interstate commerce.
In the alternative case (2), the CCPA still arguably violates the dormant commerce clause. A business located outside California that predominantly does business outside the state (but does enough to trigger CCPA applicability) would have to completely overhaul its systems and procedures in order to comply. Given California’s economic scale and impact, many businesses will likely continue to do business with California residents and learn to deal with the regulatory load. The burden, however, may amount to “discrimination” in interstate commerce and trigger application of the commerce clause.
The CCPA suffers not only from constitutional concerns, but other challenges reflective of the haste by which it came into existence. The act includes contradictions, unclear language and half-baked solutions.
For instance, the CCPA “would authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.” While the first clause of this statement suggests that businesses may not retaliate against consumers who choose to opt out by charging more, the second clause introduces a legal quagmire: How is reasonability to be determined, and moreover, what business would not argue that consumer data provides value?
The CCPA also “would authorize businesses to offer financial incentives for collection of personal information.” If businesses may “offer financial incentives,” does that not imply the right to charge different rates to different consumers, depending on their assertion of opt-out privilege? It remains unclear to what extent businesses may engage in privacy-based price discrimination, if a business may now require consumers to effectively pay for privacy, or how a business may treat a consumer that has elected to execute CCPA-granted rights.
More ambiguity lies with the CCPA’s establishment of a private cause of action. After alerting a business of his intention to file lawsuit, a plaintiff seeking to pursue CCPA claims must wait 30 days to provide the business with a limited window in which to “cure” the violation. Then, if the business “actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur,” the plaintiff cannot earn statutory damages. What would it mean for a company to “cure” a data breach? Since consumer data has already been compromised, would a “cure” constitute future safeguards against such type of breach, or does this term mean to take a stronger stance that a “cure” indicates reclamation of the data from the hackers?
Substantial reliance upon the attorney general marks a third problem. Recognizing the haste with which the statute was drafted, California legislators provided the state attorney general with teeth to steer the CCPA in its desired direction. In doing so, lawmakers furnished the attorney general with rule-making authority and the right to veto consumer litigation, and they further encourage the attorney general to “solicit broad participation to adopt regulations,” including clarifying definitions or “adopt[ing] additional regulation as necessary to further the purposes of this title.” Such deference to the attorney general not only reflects the legislators’ fears of contradictions baked into the CCPA but stands as a problem in and of itself.
The CCPA’s broad scope stands as another roadblock to the act’s success. Although many associate data privacy, data collection, and data sales with internet companies, the CCPA makes no such limitation. As indicated throughout this article (but worth further emphasis), the provisions of the CCPA apply to any business meeting one of the three applicability thresholds. However, because of the association between “data collection” and “the internet,” many businesses with weak internet presences may shrug off the CCPA’s passage and provisions prematurely, and thus may find themselves wholly unprepared for or scrambling to comply with compliance measures when the CCPA rolls into effect in 2020. Moreover, given California’s substantial size and economy, many businesses select to have a presence in the state. The CCPA broadly applies to these businesses as well, upon meeting applicability requirements.
Attempting to follow the lead set by the EU’s General Data Protection Regulation and in reaction to a growing trend of data breaches, California hastily passed the Consumer Protection Act in a well-intentioned but poorly executed bid to protect its residents. Although enacted with the intent to protect the average person’s digital trail and endow citizens with certain data privacy rights, the act will have to hurdle substantial constitutional concerns. With only 18 months to set in place compliance procedures, businesses across the U.S. must expeditiously begin and continue to prepare for this data collection regulation — all while feverishly working to comply with the GDPR and still attempting to remain abreast of developments as other states flirt with data privacy legislation. The clock is ticking.
Author’s note: Walsh 2018 Summer Intern Sabrina Solow contributed to this article.
For more information, please contact Peter Pizzi at (973)757-1100 or [email protected].