The privacy law passed last year applies to businesses of all sizes and needs changes to clarify that consumer loyalty and rewards programs can continue, the California Chamber of Commerce told a Senate committee this week.
Moreover, if the law’s “incredibly overbroad” definition of personal information is not adjusted, “it will undermine existing privacy protective practices and impose significant operational costs on businesses,” CalChamber Policy Advocate Sarah Boot told the Senate Judiciary Committee.
Boot presented the business perspective at the committee’s March 5 informational hearing about the California Consumer Protection Act (CCPA) and the state of data privacy protection.
Because the CCPA’s definition of “personal information” is so overbroad, Boot said, as a practical matter, the term means “any information that could in theory be associated with a person or household.”
Therefore, “If I have an online account with a store and I exercise my rights under CCPA, that store should be able to provide me with my account details or to delete them,” she said.
“But that’s only the beginning of what a business is required to do,” Boot continued. “Let’s say I also browse sales on the store’s website or fill up shopping carts without logging in—and that store keeps IP addresses to track how consumers use their website, but it doesn’t link that data back with a person.
“Under the CCPA, the store could be required to search for every possible IP address they have that could in theory be linked back to me. Similarly, if I made purchases inside their brick-and-mortar store, they could be required to search security camera footage to where I appear on it.
“The only way for businesses to comply would be to identify people interacting with their business and to store that information together in one place, which would be hugely wasteful and harmful to consumer privacy.”
She acknowledged that the CCPA contains an exemption stating that a business is not required to relink data that is “not maintained in a manner that would be considered personal information.”
Given the CCPA’s definition, however, “all data is personal information. So this exemption does not provide relief and should be fixed,” Boot said.
Other definitions she said need adjusting so that businesses aren’t discouraged from using privacy protective practices are deidentified data and publicly available data.
Boot reiterated for the Senate committee a concern expressed at the Assembly informational hearing in February—that the CCPA creates an onerous private right of action, allowing anyone to sue businesses that have suffered a data breach without having to show proof of injury.
“The minimum statutory damages awarded could put folks out of business,” she said.
• Confusing language in the non-discrimination section of the CCPA raises doubts about the legality of loyalty and rewards programs offered by retailers, grocers, hotels and airlines. Unless the section is clarified, it will be up to the courts to determine the fate of these programs.
• Without clarification, the definition of “consumer” could be interpreted to include employees.
• The impact of the CCPA on targeted online advertising deserves clarification. No personally identifiable information is being sold. The internet ecosystem—from small blogs to large publications—and businesses of all sizes depends on this advertising network to reach consumers.
The CalChamber is leading a coalition of concerned businesses that is working to fix flaws in the CCPA before it goes into effect on January 1, 2020. Legislation signed last year (SB 1121) corrected a handful of problems, but much more remains to be done.