California Privacy Law: Too Good to be True?

While European Union’s General Data Protection Regulation has just marked its first anniversary, the United States and, in particular California, have yet to follow in its footsteps.  Sort of, that is.  In the aftermath of the Cambridge Analytica scandal last year, California enacted the Consumer Privacy Act (CPA), which will take effect in January 2020. The new law seeks to protect privacy and personal information protection by creating new rights for consumers and imposing restrictions on businesses as to how data may be collected, used, shared and sold.

Privacy please! [This Kat is not transferring to Silicon Valley just yet]

New rights – room for improvement?

Right to know. The CPA grants to consumer a right to request that a business that collects consumer’s personal information disclose to that consumer: (i) the categories and specific pieces of personal information the business has collected, (ii) the categories of sources from which the personal information is collected, (iii) the business or commercial purpose for collecting or selling personal information, and (iv) the categories of third parties with whom the business shares personal information. Further, a consumer will have the right to request the disclosure of only general categories of personal information, such as the rubric of name or social security number, without providing any specific information in that regard that the business has sold about the particular individual.

Deletion. Section 105 allows the consumer to request deletion of his/her personal information that the business has collected from the consumer. It is important to note that this right is limited to information collected from the consumer and not about the consumer. Another get out of jail free card for the businesses may be created by the following exclusions:

A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law; […] [t]o enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; [and] [o]therwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

This regulation seems lightyears away from the European right to be forgotten. GDPR imposes an automatic obligation on personal data controllers to immediately erase data that are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing, the data subject has objected and there are no overriding legitimate grounds for the processing, or erasure is required to fulfil a statutory obligation under the EU law or the right of the Member States.  In addition, the controller must take reasonable measures to inform all other controllers in data processing that all links to this personal data, as well as copies or replicates of the personal data, must be erased.  The right to be forgotten may only be limited to the extent that processing is necessary to serve a public interest or exercise the right of freedom of expression and information.

Consent. Consumers will have a right to opt out of sale of personal information about them. Moreover, businesses that sell a consumer’s personal information to third parties must provide notice to consumers that this information may be sold and that consumers have the right to opt out of the sale. Right to opt in will only be available to minors and no opt-in is available, or consent is /required, for personal information collection or data sharing or selling.

Non-discrimination. CPA does not allow businesses to discriminate against a consumer because the consumer sought to exercise any of the privacy rights. Specifically, businesses may not deny services, charge different prices or provide a different quality of services. However, this prohibition is arguably gutted by admittedly vague and broad exceptions relating to “financial incentives”, which businesses are allowed to offer depending upon consumer privacy preferences.

Private right of action. Consumer’s right to sue is limited to data breaches arising from the business’ violation of the duty to implement and maintain reasonable security procedures and practices. If any other provision of the CPA is violated by a business, only California’s Attorney General may initiate proceedings against such business.

Attempts to massage the CPA

In February 2019, State Assembly representative  Buffy Wicks proposed an amendment to CPA entitled “Privacy for All”. The bill sought to strengthen the CPA by introducing safeguards to non-discrimination, consumers’ rights to information, enforcement and consent. Despite the support of over 20 tech companies, Wicks withdrew Privacy for All because it was unlikely to get the necessary votes. Instead, California Assembly Privacy and Consumer Protection Committee backed six bills supported by the tech industry, which inter alia would exclude employees from the definition of  “consumer” under the CPA and empower companies to engage in price discrimination if consumers voluntary participate in various loyalty programs.

Hope for more stringent privacy law this year now largely rests with Sen. Hannah-Beth Jackson’s bill SB-561, which, if passed, would expand the CPA’s private right of action to any violation of a consumer’s rights under CPA, eliminate the current 30-day remediation period, and remove businesses’ right to consult the Attorney General’s regarding compliance with CPA.

Will Washington pick up the baton?

The strengthening of data privacy initiatives is also brewing at the national level.  In February, the Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce held a hearing entitled, "Protecting Consumer Privacy in the Era of Big Data." Later in the same month, the Committee on Commerce, Science, and Transportation convened a hearing entitled, “Policy Principles for a Federal Data Privacy Framework in the United States.”

One of the biggest concerns surrounding a potential federal data privacy law is pre-emption of state laws. For example, it is widely believed that Republicans in Congress would seek to set a lower privacy standard than that provided by CPA. If pre-emption would apply, the upshot would be to possibly override such state privacy laws.

Image credits: sputnikhousewares