Monday, July 2, 2018

Looking At California's Internet Privacy Bill: "A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet"

This article was written a day before the bill passed the Cali legislature but has some insight that may be actionable.
From the Technology & Marketing Law blog, June 27:
By tomorrow, the California legislature likely will pass a sweeping, lengthy, overly-complicated, and poorly-constructed privacy law that will have ripple effects throughout the world. While not quite as comprehensive as the GDPR, it copies some aspects of the GDPR and will squarely impact every Internet service in California (some of whom may be not currently be complying GDPR due to their US-only operations). The GDPR took 4 years to develop; in contrast, the California legislature will spend a grand total of 7 days working on this major bill. It’s such a short turnaround that most stakeholders won’t have a chance to participate in the legislative proceedings. So the Internet is likely to change radically tomorrow, and most people have no clue what’s coming or any voice in the process.
As bad as this sounds, the legislature’s passage of the bill is likely the GOOD outcome in this scenario. What could be worse?
The legislative rush-job was prompted by a proposed initiative, the California Consumer Privacy Act, which got certified for the ballot on Monday. The initiative was sponsored by San Francisco real estate developer Alastair Mactaggart, who has no expertise in privacy law but enough money to fund his pet topics. He spent $3M getting the initiative qualified for the ballot and funding a support campaign. The initiative process in California has several known defects, including (1) the text is locked down, so there’s no way to improve the proposed text based on comments from other stakeholders (which the legislative process allows), and (2) extreme difficulty amending or repealing the law once approved by voters–effectively, it becomes frozen law that’s permanently out of the legislature’s purview. So if the initiative passes, the initiative’s worse language will become immutable–we’ll be stuck with its many defects potentially forever. By getting the initiative qualified, Mactaggart has leverage over the legislature. He can demand that the legislature pass a law like the initiative before the deadline to withdraw the initiative from the ballot (in which case he’ll withdraw), or the voters will potentially lock in the initiative language forever. The deadline to withdraw the initiative is tomorrow, so that’s what prompting the legislative fire drill.
Given dulled public sentiments towards the Internet giants, the desire of Californians for more privacy protection (especially from the government), and the initiative’s overwhelming complexity, defeating the initiative at the ballot box is no easy task. Opponents are estimating they will build a $100M warchest to fight the initiative, and even then, its defeat is not guaranteed. With the nuclear option of frozen text as an unbearable downside risk, the Internet giants will cave and support a legislative deal, which they can try to amend later, rather than gamble at the ballot box.
I trust you noticed how Mactaggart’s trick is infinitely repeatable by other millionaires. It usually costs about $1M to gather enough signatures to qualify an initiative for the ballot. Every wealthy person with a pet topic can spend that million, get the certification for the ballot, and then approach the legislature with the same deal: pass my law or we’ll put the issue to voters and bypass the legislature altogether (and potentially handcuff legislative power on this topic forevermore). This is one of the worst possible ways to set a legislative agenda. Among other major problems facing our country, we need to eliminate California’s initiative process to shut down this unwelcome workaround to our democratic institutions.
“Summary” of the Bill
It’s not possible for me to write my own summary of the bill in the time I have to write this blog post. First, the bill text keeps changing. Second, the bill is 10,000 words of dense legalese covering a wide array of different policy ideas–including brand-new rights for consumers to access their data, erase their data, and opt-out of data sales (and giving minors opt-in rights), plus making various changes to the data breach notification law. This is an omnibus law, making it impossible to summarize in soundbites. Instead, here is the Senate Judiciary Committee report’s 3,000 word “summary”:
This bill would establish the California Consumer Privacy Act of 2018 (the Act) to become operative on January 1, 2020, contingent on the privacy initiative being withdrawn from the ballot pursuant to Section 9604 of the Elections Code.

This bill would provide that a consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected. The obligation to provide such information is only triggered upon receipt of a verifiable consumer request and is limited to no more than twice per year. Such business would be required to inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

This bill would provide that a consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. Upon such a request, the business would be required to delete the information from its records and direct any service providers to do the same. This right to delete would need to be disclosed by businesses collecting personal information

This bill would provide that businesses are not required to delete information upon request where it is necessary for the business to maintain the consumer’s personal information for various purposes, including detecting security incidents; complying with a legal obligation; enabling solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; or otherwise using the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information...
... Some Comments
Legions of academics could spend their entire careers grokking these provisions and debating the pros and cons of each. The California legislature will spend less than 168 hours doing that… and if I hope to get out this post in any time-effective way, I have mere minutes to highlight just a few issues:
Who’s Covered by the Law? Virtually Every Business. The initiative has largely been styled as anti-data brokerage, but the bill actually applies to any “business that collects a consumer’s personal information.” “Business,” “collects,” and “personal information” are all defined terms, but expansively. For example, as I’ll explain in a moment, the definition of “personal information” covers virtually all information in a company’s possession. So let’s assume for a moment that, on its face, this law applies to every business–online and off–that has consumers. We’re not talking only about Internet giants like Google and Facebook. We’re talking every retailer big and small: every gas station, grocery store, restaurant, bakery, local mom-and-pop shop, etc. We’re talking every professional service provider: every attorney, accountant, therapist, doctor, etc. We’re even talking about most manufacturers–certainly those that sell direct-to-consumers, but possibly even  those only transacting business-to-business.

The bill has extra obligations for businesses that “sell” consumer data, but again the definition is expansive (and the active subject of amendments) to include “disseminating” consumer data for “monetary or other valuable consideration.” The legislative report references the Cambridge Analytica scenario as one of the targets, but did Facebook “sell” the data to the Oxford researcher by allowing his access to Facebook’s API? There was no money exchanged, but every Internet company that sets up an API has a pretty clear quid-pro-quo of sharing the data to benefit its consumer base. Does that tacit quid-pro-quo constitute “valuable consideration”? If so, every Internet business with California ties and an API will be subject to the enhanced rules about data “sales,” even if no one would ever characterize the data transfers as a “sale.”

Acknowledging that it doesn’t intend to reach every California business, the bill sets up the following thresholds for applicability: a business must (1) have $25M+ in annual revenue, OR (2) derive 50%+ of its revenues from selling consumer data, OR (3) “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” So any business with 50,000 annual consumers–an average of 137/day–is almost certainly governed by this law, and that includes many mom-and-pop retailers and other small businesses. If I were to make only one edit to this bill, I’d change this section to add at least one zero to the $25M and 50k thresholds.

As an illustration of its broad reach, is my blog covered by the bill? I get 50k+ visitors/year, my analytics package picks up their IP addresses, and I get about $400/year from Google AdSense. Based on the bill’s expansive definition of “commercial purposes” (which seemingly includes ad revenue), I might be covered. If the bill passes and I’m covered, I would likely shut off Google ads to avoid complying with the law....

That's a tiny blog, meaning California wants to regulate the world.
Take that GDPR!

Previously (also June 27):
California Has 24 Hours to Pass This Privacy Bill or Else