Will the California Consumer Privacy Act Survive Big Tech?

Will the California Consumer Privacy Act Survive Big Tech?

It should come as no surprise that many in the tech industry are not happy about the California Consumer Privacy Act. As we speed toward January 1, 2020, industry lobbyists and business-geared legislators are pushing a number of amendments that could severely limit the effectiveness and reach of the CCPA.

Todd Weaver and Brendan Eich recently wrote an op-ed in the Mercury News about the generational shift in tech companies’ approach to privacy: while new, smaller tech companies see the appeal and necessity of privacy regulation, Big Tech is digging in its heels.

Secretly, our colleagues in Big Tech worry about privacy violations too. That’s why so many of them prohibit their own children from using the products and services they push on an unwitting public.
We represent a new generation of privacy-focused companies that believe we should not build things we wouldn’t let our own kids use. We support strong privacy protections, not just token “regulation” that doesn’t really protect consumers. That’s why we (and others) have called on the legislature to actually strengthen California’s consumer privacy law.
Big Tech, though? They’re calling for something else entirely: watering down California’s law as much as possible.

As Weaver and Eich point out, most of the movement we’ve seen the legislature take in amending the CCPA has been to weaken it. Proposed amendments such as SB 561, which would have provided a private right of action for any violation of the law (as opposed to just data breaches), and AB 1760 (the so-called “Privacy For All” amendment), have been soundly defeated.

AB 1760, in particular, would have changed the law throughout, including changing the requirement for companies in many instances from disclosing general categories of information held and companies shared with to disclosing specifics, turning many of the opt-outs for sharing with third parties into opt-ins, and making it mandatory for a business to collect and keep as little information as possible to facilitate its business (aka “data minimization”), among other reforms. Neither bill made it out of committee.

On the other hand, there are several pending amendments that would limit the reach of the CCPA. Some, such as AB 25, which would clarify that companies need not treat their own employee data as consumer personal information, could reasonably be described as simply clarifying an oversight in the CCPA’s drafting. AB 873, on the other hand, redefines “personal information” as “reasonably capable” of being associated with a consumer or household instead of just “capable,” protecting a significantly smaller swath of data.

Another major example was SB 753, an effort to exempt online advertising from many of the protections of the CCPA. Typically, a publisher of a website displaying an ad exchanges information about its viewers with companies interested in purchasing the ad space. Under the current iteration of the CCPA, this information likely constitutes personal information as an “online identifier,” and consumers would have the right to opt out of this exchange of information. SB 753 would have amended the CCPA to classify these exchanges of online identifiers as not a “sale,” and thus circumventing the right to opt out.

SB 753 demonstrates the divide legislators are likely to face throughout this process. While advertisers argue that requiring an opt-in system would kill online advertising as we know it, privacy advocates feel that even exempting just enough to facilitate the advertising would defeat the policy purposes underlying the CCPA. For example, Johnny Ryan, Chief Policy & Industry Relations Officer for internet browser Brave, wrote an open letter to the bill’s author arguing that SB 753 would “seriously undermine” the CCPA. In particular, Ryan pointed out that if SB 753 were to pass, the newly-permitted “bid requests” sent between website publishers and advertisers could reasonably include the following, many of which are highly sensitive pieces of information but would no longer be protected:

• The URL of what the person is reading/watching/listening to.

• The person’s age.

• The person’s GPS coordinates.

• The person’s IP address (Google anonymizes this, but other companies do not).

• Category codes of content the person is loading, which can reveal their interests, medical conditions, and other sensitive facts. 
Example Google codes: 571 eating disorders, 410 left-wing politics, 202 male impotence, 862 Buddhism, 625 AIDS & HIV, 547 African-Americans. 
Example IAB codes: IAB7-9 Bipolar disorder, IAB 7-18 Depression, IAB 7-3 AIDS/HIV, IAB 23-10 Latter-Day Saints, IAB 23-8 Judaism.

• Unique codes and device descriptions that allow the latest personal information about the person to be added to existing profiles about them.

While SB 753 was withdrawn, this is likely not the last time we’re going to see such an amendment surrounding online advertising. The CCPA’s continued reformation is going to remain a balancing act between privacy advocates decrying attempts to water down the CCPA’s protections and the tech industry pleading for reasonable measures that will stop short of flipping their entire world upside down. Where we end up is anybody’s guess.

Disclaimer: This information is given for legal education only. This post is not legal advice and does not create an attorney-client relationship. Please contact an attorney for legal advice.
Daniel J. Zarchy