Educational approaches to help businesses understand how to comply with the state’s new privacy law will be far more efficient than costly enforcement actions, according to the California Chamber of Commerce.
In testimony last week at a legislative informational hearing, CalChamber Policy Advocate Sarah Boot called for setting businesses up for success “because the privacy goals…that we all care so much about will be met when companies are actually able to comply with” the California Consumer Privacy Act (CCPA).
She told members of the Assembly Privacy and Consumer Protection Committee on February 20 that over the last several months she has been on multiple calls in which privacy experts from around the country can’t agree or figure out what certain provisions of the CCPA mean.
Boot argued against adding a private right of action to the “incredibly confusing, detailed and complex” CCPA. The Private Attorneys General Act, which enables trial lawyers to enforce government regulations in employment, has led to abuses, she pointed out.
Granting trial lawyers the same power on the privacy law “would be a class action bonanza,” Boot said.
Business Concerns
A CalChamber-led coalition has been working since the CCPA was enacted last year to fix flaws in the law. Legislation signed last year (SB 1121) corrected a handful of the problematic provisions, but much more needs to be done before the CCPA goes into effect on January 1, 2020.
At the informational hearing, Boot described two concerns related to data security and privacy:
• The CCPA requires businesses to send consumers “specific pieces of information” the business has collected after receiving a consumer request, but does not define “specific pieces of information.”
To alleviate the risk of sending the requested information to a fraudster, the business may need to collect even more information from the consumer making the request to be sure the business is sending sensitive information to the right person—especially when the business has no direct relationship with the consumer.
Collecting that additional information runs counter to privacy goals and could greatly harm consumers. Therefore, the coalition is seeking a CCPA amendment to limit these risks.
• The CCPA’s references to households and devices in the definition of personal information should be removed, Boot said. As written, the act seems to allow one member of a household—whether an abusive spouse or a roommate—to gain access to all specific pieces of personal information—including credit card information, precise geolocation data, or even shopping records—about another member of the household.
Similarly, one user of a device can request all the specific pieces of information a company has about that device.
Including households and devices in the definition of personal information compromises the privacy of consumers and could also infringe on the choices of other household members, she said. For example, if one household member asks to delete all data associated with a household, another household member subsequently would be unable to gain access to that information.
That result runs counter to the privacy goals of the CCPA.
Boot along with other legal experts described a handful of other concerns the business community has with this law, including that it covers employee data, that it could prevent loyalty and rewards programs, and that it would impede targeted online ads.
Government Services
Boot also pointed out that the CCPA places restrictions on the sale of data to government entities that will have a “profoundly negative impact” on many crucial government services, such as:
• Screening Medi-Cal providers to ensure there is nothing in their history that would prevent them from providing patient care;
• Searching to reunite foster youth with relatives and to assess the suitability of would-be foster parents;
• Child support enforcement activities;
• Fraud prevention in public retirement accounts and other governmental benefits programs;
• Law enforcement response for crimes in progress; and
• Finding abducted children.
If “bad actors” can opt out of the sale of their data to governmental entities for these limited kinds of purposes, the efforts above would be thwarted.
The CCPA’s opt-out provision also undermines legal compliance activities and efforts to prevent identity theft, Boot said.
She commented that the CCPA recognizes part of the problem with an exemption stating that a business need not delete data that is necessary to detect security incidents or to protect against malicious, deceptive, fraudulent, or illegal activity.
The same type of exemption should be applied to the right to opt out of the sale of data for limited purposes, Boot said.
If California can fix the CCPA, Boot concluded, “it really could be a model for the rest of the country. But we have to get it right.”