Data aggregation has long been an important part of business analysis, from collecting information on past consumer trends to predicting the next big hit. Recently, the California Consumer Privacy Act’s provisions on data aggregation have become a warzone between privacy advocates and businesses concerned with the law’s scope.
AB 873, which is working its way through the committee process, would make two prominent changes that privacy advocates say would dramatically weaken the effectiveness of the CCPA.
The CCPA, as originally passed by the California legislature, defined personal information as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household[.]” The first major change included in AB 873 would be to amend this definition to only include information that is “reasonably capable” of such identification.
The CCPA also states that it “shall not restrict a business’s ability to: . . . [c]ollect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.” AB 873 would dramatically ease this language as well.
These changes would affect companies both in the type of data that the company can collect and store and the type of data that the company would be obligated to disclose and potentially delete if the consumer requested it.
As originally provided in the CCPA, deidentified data is defined as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer[.]” The company in question must also take steps to ensure the security and continued de-identification of the data:
(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(2) Has implemented business processes that specifically prohibit reidentification of the information.
(3) Has implemented business processes to prevent inadvertent release of deidentified information.
(4) Makes no attempt to reidentify the information.
AB 873, other parts of which we’ve discussed briefly on this blog, would change the definition of deidentified data to information that “does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer[.]” The company would still be obligated to “make[] no attempt to reidentify the information, and take[] reasonable technical and administrative measures” to:
(1) Ensure that the data is deidentified.
(2) Publicly commit to maintain and use the data in a deidentified form.
(3) Contractually prohibit recipients of the data from trying to reidentify the data.
So what does this mean? First, businesses engaged in data aggregation will have much less to worry about to ensure that it fits the definitions of “deidentified” and not “personal information.” The original definition of “deidentified,” particularly the “capable of being associated with” language, can describe quite a lot of data. The company would also be freed from implementing the safeguards and business practices to keep the data deidentified. This change would, AB 873’s advocates argue, give better guidance and certainty to the business community attempting to comply with the CCPA.
However, privacy advocates are concerned. The Senate Judiciary Committee’s comments describe the opposition to AB 873 as essentially stating that, even if companies abide by the letter of the amended law, the data would still be at risk of being re-identified.
For example, the comments cite location data tracked by a smartphone, which is tied to a unique identifier and thus technically deidentified, but could still be tracked to a specific person. The comments also cite the example of IP addresses being shared with advertising networks, which allow private companies to track everywhere we go and everything we do on the Internet. Even if this data is stored in a deidentified manner, it can easily be reconstructed to point to a specific consumer.
As a result, the Committee concluded:
Ultimately, the bill’s expansion of what is considered deidentified reduces what information consumers have access to and control over despite the capability of that information to be associated back to specific individuals. Whereas now, a consumer has the right to demand a business give them all of the personal information the business has on them, pursuant to the new definition of deidentified business es will be able to hide the ball. Arguably, that moves the CCPA in the opposite direction of its stated goals.
AB 873’s prognosis isn’t clear. The Senate Judiciary Committee voted it down on July 9, 2019, but granted reconsideration. The Committee instead suggested axing the proposed amendments, in favor of adding the following language to Civil Code 1798.145:
(x) This title shall not be construed to obligate a business to:
(1) Comply with a verified consumer request to access or delete personal information pursuant to subsection (a) of Section 1798.100, subsection (a) of Section 1798.105, or subsection (a) of Section 1798.110, if all of the following are true:
(A) The business is not reasonably capable of linking or associating the request with the personal information.
(B) The business does not use the information to recognize or respond to the specific consumer who is the subject of the personal information, or link or associate the personal information with other personal information about the same specific consumer.
(C) The business does not sell or otherwise voluntarily disclose the personal information to any third party, except as otherwise permitted in this Section.
(2) Maintain information in identifiable or linkable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verified customer request with personal information.
According to the Committee, “[t]hese amendments maintain the addition of ‘reasonably’ in the definition of personal information to achieve the goals stated above, but remove the compounding effect of also dramatically changing the definition of deidentified. This more surgical approach provides businesses a better-defined set of obligations without hollowing out the CCPA.”
Data aggregation isn’t going anywhere, and neither is this fight. We’ll see how this dispute shapes up and what the amendment looks like by the time the Committee is done with it.
Disclaimer: This information is given for legal education only. This post is not legal advice and does not create an attorney-client relationship. Please contact an attorney for legal advice.
Daniel Zarchy is a civil litigator and privacy attorney in San Francisco, California. Daniel is also a Certified Information Privacy Professional (CIPP/US). The views and opinions expressed herein are solely those of the author and do not necessarily reflect the views or opinions of any other party or law firm.
Latest posts by Daniel J. Zarchy
(see all)Like this:
Like Loading...