San Francisco, March 3, 2019
Assemblymember Ed Chau, Chair
Assembly Privacy and Consumer Protection Committee
State Capitol, Room 5016
Sacramento, CA 95814

Re: California Consumer Privacy Law Corrections

Dear Chairman Chau,

ADVERTISEMENT

Syrenis: The ROI of consent management

As one of the principal commentators, scholars, teachers and advisers on California privacy law, I want to first congratulate you and the California Legislature on the passage of many innovative and cutting-edge information privacy and security laws over the years, making California one of the leading jurisdictions globally, as I frequently note in my books, articles, lectures and presentations around the world.

To maintain this leadership position, I respectfully recommend to you and your staff the following technical corrections to the California Consumer Privacy Act and to other California privacy laws that have now become obsolete or outdated due to the passage of the CCPA. In making these recommendations to you, I do not mean to comment on any new privacy bills or proposals to substantively modify the CCPA.

What I do propose in this letter are technical corrections, which I believe are urgently necessary to rationalize and deconflict California’s myriad privacy statutes, keep California in its leadership role as one of the most advanced and innovative jurisdictions worldwide when it comes to information technologies and privacy laws, make a compelling case against broad federal preemption, allow businesses to understand and comply with applicable law, and achieve the very purpose of privacy laws — to protect the personal information of the people of California.

First, the California Legislature should correct all remaining obvious errors and typos in the CCPA (which understandably and unavoidably occurred, given the fast-track legislative history and ballot initiative background), including the following:

  • Civ. Code §1798.100(e) and Cal. Civ. Code §1798.110(d)(1) should be deleted as they contradict the remainder of the CCPA; the sections each state that "This section shall not require a business to retain any personal information," but no section in the CCPA requires any business to retain any information, and based on the legislative purposes of the CCPA, less information collection/retention is preferable over more.
  • In Cal. Civ. Code §1798.105(d)(1), with respect to "… in order to: ... or reasonably anticipated within the context of a business's ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer," the sentence structure could be corrected by adding "perform actions that are" before "reasonably anticipated ...."
  • Civ. Code §1798.110(c)(5) states "A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130: The specific pieces of personal information the business has collected about that consumer"; but, in the interest of data privacy, "specific pieces of information " should not be disclosed in an online privacy policy, on the website of a company, only "categories," as already contemplated in 1798.110(c)(1); therefore, Subsection 1798.110(c)(5): should be simply deleted.
  • Civ. Code §1798.120(c) states "… the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age …" which results in an inconsistent rule for 16-year-olds; this could be corrected by writing "consumer who is at least 13 years and not yet 16 years old."
  • In Cal. Civ. Code §1798.125(b)(1), the sentence "A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data" should be corrected to read "… the value provided to the business ...."
  • Regarding Cal. Civ. Code §1798.140(b): “… an individual’s deoxyribonucleic acid (DNA) …,” DNA is not data, it is human material from which data can be obtained; this error could be corrected by deleting reference to DNA because information about DNA is already covered by other categories sufficiently.
  • In Cal. Civ. Code §1798.140(d)(7): "… that is owned, manufactured, manufactured for, or controlled by the business …," the reference to "manufactured" is duplicative and "manufactured for" should be deleted.
  • In Cal. Civ. Code §1798.140(k): "'Health insurance information' means …, " the defined term is not used elsewhere in the CCPA; the definition should be deleted.
  • In Cal. Civ. Code §1798.140(o)(2), the statement “‘Publicly available’ does not include consumer information that is de-identified or aggregate consumer information” should be corrected by replacing "Publicly available" with "personal information."
  • In Cal. Civ. Code §1798.140(s)(9) at "Subjected by the business conducting the research to additional security controls limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose" a "to" is missing in front of "limit."
  • In Cal. Civ. Code §1798.140(o)(2) states "For these purposes, 'publicly available' means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information." The last half sentence, " if any conditions associated with such information," is incoherent and should be deleted.
  • In Cal. Civ. Code §1798.145(a)(6), the last sentence, "shall not permit from storing," is incoherent and should be deleted.
  • In Cal. Civ. Code §1798.145(c)(B), the term "patient information" should be replaced by "personal information." If a business voluntarily protects any personal information as if it was subject to the strict rules of the Health Insurance Portability and Accountability Act or California Medical Instrumentation Association, it should not also have to comply with the CCPA. Also, the term "patient information" is not defined.

Second, the California Legislature should consider repealing or updating all other California privacy laws that are now superseded by the CCPA, including the following:

  • Civ. Code § 1798.83 (Shine the Light) contains different disclosure requirements, definitions and specifications for website privacy policies, link placement and exceptions, which are now subsumed and superseded by the broader regime established by the CCPA.
  • Bus. & Prof. Code §§ 22575–22579, aka the California Online Privacy Protection Act, prescribes different disclosure requirements, definitions and rules for online privacy policies, which are subsumed and superseded by the CCPA, which applies offline and online.
  • Bus. & Prof. Code § 22584 and § 225845, the Student Online Personal Information Protection Act and Early Learning Personal Information Protection Act, protect the privacy of minors with disclosure and consent requirements, which are subsumed and superseded by the CCPA, which establishes parental consent and opt-in requirements for minors up to age 16.
  • Civ. Code § 1749.60, et seq. imposes restrictions on the sale of personal information collected by supermarkets in the context of club cards, which are outdated and subsumed by the broader CCPA.
  • The definitions, scope, requirements and liability provisions in Cal. Civ. Code §1798.82 (the existing breach notification law), Civ. Code §1798.90.5 (existing rules for automated license plate scan databases), and Cal. Civ. Code §1798.150 (CCPA liability provision) should be harmonized and streamlined to help businesses understand and comply with these related laws.

For privacy advocates and lawmakers, it is more exciting to create new privacy laws rather than revise the existing statutes. For businesses and other organizations, however, it is increasingly difficult or impractical to keep track of California’s myriad privacy laws (in addition to laws of other states and countries). For better or worse, the CCPA is extremely broad and prescriptive. Companies that undergo the process of establishing compliance with the CCPA over the next year should not also be required to analyze and apply dozens of additional California privacy laws with overlapping, inconsistent or outdated requirements pertaining to the collection and sharing of personal information. The best way to ensure that companies follow California’s new privacy laws is to make those laws as simple as possible. Investing in a little bit of code clean-up would assist in that new compliance challenge greatly. 

Please let me know if you have any questions or if I can be of any assistance. I am submitting this letter on behalf of myself, not behalf of my law schools, law firm, clients or others.

Best regards,

Lothar Determann
2 Embarcadero Center, 11th Floor
San Francisco, CA 94111
ldetermann@bakernet.com

Attachments, separately submitted:

  • biographical information
  • publications

Top image by Makaristos [Public domain], from Wikimedia Commons