CalChamber Explains Changes Needed So New Privacy Law Will Protect Privacy

The privacy law passed last year applies to businesses of all sizes and needs changes to clarify that consumer loyalty and rewards programs can continue, the California Chamber of Commerce told a Senate committee this week.

Moreover, if the law’s “incredibly overbroad” definition of personal information is not adjusted, “it will undermine existing privacy protective practices and impose significant operational costs on businesses,” CalChamber Policy Advocate Sarah Boot told the Senate Judiciary Committee.

CalChamber Policy Advocate Sarah Boot describes for the Senate Judiciary Committee some of the changes needed in the California Consumer Privacy Act so it won’t prevent businesses from offering popular loyalty/rewards programs to customers.

Boot presented the business perspective at the committee’s March 5 informational hearing about the California Consumer Protection Act (CCPA) and the state of data privacy protection.

Consequences

Because the CCPA’s definition of “personal information” is so overbroad, Boot said, as a practical matter, the term means “any information that could in theory be associated with a person or household.”

Therefore, “If I have an online account with a store and I exercise my rights under CCPA, that store should be able to provide me with my account details or to delete them,” she said.

“But that’s only the beginning of what a business is required to do,” Boot continued. “Let’s say I also browse sales on the store’s website or fill up shopping carts without logging in—and that store keeps IP addresses to track how consumers use their website, but it doesn’t link that data back with a person.

“Under the CCPA, the store could be required to search for every possible IP address they have that could in theory be linked back to me. Similarly, if I made purchases inside their brick-and-mortar store, they could be required to search security camera footage to where I appear on it.

“The only way for businesses to comply would be to identify people interacting with their business and to store that information together in one place, which would be hugely wasteful and harmful to consumer privacy.”

She acknowledged that the CCPA contains an exemption stating that a business is not required to relink data that is “not maintained in a manner that would be considered personal information.”

Given the CCPA’s definition, however, “all data is personal information. So this exemption does not provide relief and should be fixed,” Boot said.

Other definitions she said need adjusting so that businesses aren’t discouraged from using privacy protective practices are deidentified data and publicly available data.

Lawsuit Liability

Boot reiterated for the Senate committee a concern expressed at the Assembly informational hearing in February—that the CCPA creates an onerous private right of action, allowing anyone to sue businesses that have suffered a data breach without having to show proof of injury.

“The minimum statutory damages awarded could put folks out of business,” she said.

Other Concerns

• Confusing language in the non-discrimination section of the CCPA raises doubts about the legality of loyalty and rewards programs offered by retailers, grocers, hotels and airlines. Unless the section is clarified, it will be up to the courts to determine the fate of these programs.

• Without clarification, the definition of “consumer” could be interpreted to include employees.

• The impact of the CCPA on targeted online advertising deserves clarification. No personally identifiable information is being sold. The internet ecosystem—from small blogs to large publications—and businesses of all sizes depends on this advertising network to reach consumers.

The CalChamber is leading a coalition of concerned businesses that is working to fix flaws in the CCPA before it goes into effect on January 1, 2020. Legislation signed last year (SB 1121) corrected a handful of problems, but much more remains to be done.

Staff Contact: Sarah Boot

Previous articleSeeking Nominations for Outstanding Small Business Leaders
Next articleWhy Tax Reform Is Hard
Sarah R. Boot served as a CalChamber policy advocate from March 2018 to December 2019. She specialized in privacy/technology, telecommunications, economic development, and taxation issues. Before joining CalChamber, Boot was a top adviser to now-Senate President Pro Tem Toni G. Atkins, serving as the senator’s legislative director and as lead staffer on legal, privacy, telecommunications, business, and technology issues, among many others. Boot also was principal consultant to Atkins during her time as Assembly Speaker and Speaker Emeritus. For three years, Boot was an assistant U.S. attorney in the Southern District of California. She prosecuted a broad array of federal crimes, including bank robbery, sex trafficking of minors, and narcotics trafficking. In private practice, Boot spent three years litigating complex civil and intellectual property litigation, primarily representing Internet and technology companies. Boot earned her J.D. from the University of Michigan Law School. She graduated from the University of Michigan with an honors degree in political science and a minor in Spanish