TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | An open letter to the California legislature on updating the CCPA Related reading: California’s CCPA forums are underway: Here’s what happened at the first one 

rss_feed

""

""

""

6, 11
Editor's Note:

The following Privacy Perspectives post is an open letter from Lothar Determann. The suggested changes and updates to the California Consumer Privacy Act are presented on his behalf. Comments are welcomed in the comment section below. 

San Francisco, March 3, 2019
Assemblymember Ed Chau, Chair
Assembly Privacy and Consumer Protection Committee
State Capitol, Room 5016
Sacramento, CA 95814

Re: California Consumer Privacy Law Corrections

Dear Chairman Chau,

As one of the principal commentators, scholars, teachers and advisers on California privacy law, I want to first congratulate you and the California Legislature on the passage of many innovative and cutting-edge information privacy and security laws over the years, making California one of the leading jurisdictions globally, as I frequently note in my books, articles, lectures and presentations around the world.

To maintain this leadership position, I respectfully recommend to you and your staff the following technical corrections to the California Consumer Privacy Act and to other California privacy laws that have now become obsolete or outdated due to the passage of the CCPA. In making these recommendations to you, I do not mean to comment on any new privacy bills or proposals to substantively modify the CCPA.

What I do propose in this letter are technical corrections, which I believe are urgently necessary to rationalize and deconflict California’s myriad privacy statutes, keep California in its leadership role as one of the most advanced and innovative jurisdictions worldwide when it comes to information technologies and privacy laws, make a compelling case against broad federal preemption, allow businesses to understand and comply with applicable law, and achieve the very purpose of privacy laws — to protect the personal information of the people of California.

First, the California Legislature should correct all remaining obvious errors and typos in the CCPA (which understandably and unavoidably occurred, given the fast-track legislative history and ballot initiative background), including the following:

  • Civ. Code §1798.100(e) and Cal. Civ. Code §1798.110(d)(1) should be deleted as they contradict the remainder of the CCPA; the sections each state that "This section shall not require a business to retain any personal information," but no section in the CCPA requires any business to retain any information, and based on the legislative purposes of the CCPA, less information collection/retention is preferable over more.
  • In Cal. Civ. Code §1798.105(d)(1), with respect to "… in order to: ... or reasonably anticipated within the context of a business's ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer," the sentence structure could be corrected by adding "perform actions that are" before "reasonably anticipated ...."
  • Civ. Code §1798.110(c)(5) states "A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130: The specific pieces of personal information the business has collected about that consumer"; but, in the interest of data privacy, "specific pieces of information " should not be disclosed in an online privacy policy, on the website of a company, only "categories," as already contemplated in 1798.110(c)(1); therefore, Subsection 1798.110(c)(5): should be simply deleted.
  • Civ. Code §1798.120(c) states "… the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age …" which results in an inconsistent rule for 16-year-olds; this could be corrected by writing "consumer who is at least 13 years and not yet 16 years old."
  • In Cal. Civ. Code §1798.125(b)(1), the sentence "A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data" should be corrected to read "… the value provided to the business ...."
  • Regarding Cal. Civ. Code §1798.140(b): “… an individual’s deoxyribonucleic acid (DNA) …,” DNA is not data, it is human material from which data can be obtained; this error could be corrected by deleting reference to DNA because information about DNA is already covered by other categories sufficiently.
  • In Cal. Civ. Code §1798.140(d)(7): "… that is owned, manufactured, manufactured for, or controlled by the business …," the reference to "manufactured" is duplicative and "manufactured for" should be deleted.
  • In Cal. Civ. Code §1798.140(k): "'Health insurance information' means …, " the defined term is not used elsewhere in the CCPA; the definition should be deleted.
  • In Cal. Civ. Code §1798.140(o)(2), the statement “‘Publicly available’ does not include consumer information that is de-identified or aggregate consumer information” should be corrected by replacing "Publicly available" with "personal information."
  • In Cal. Civ. Code §1798.140(s)(9) at "Subjected by the business conducting the research to additional security controls limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose" a "to" is missing in front of "limit."
  • In Cal. Civ. Code §1798.140(o)(2) states "For these purposes, 'publicly available' means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information." The last half sentence, " if any conditions associated with such information," is incoherent and should be deleted.
  • In Cal. Civ. Code §1798.145(a)(6), the last sentence, "shall not permit from storing," is incoherent and should be deleted.
  • In Cal. Civ. Code §1798.145(c)(B), the term "patient information" should be replaced by "personal information." If a business voluntarily protects any personal information as if it was subject to the strict rules of the Health Insurance Portability and Accountability Act or California Medical Instrumentation Association, it should not also have to comply with the CCPA. Also, the term "patient information" is not defined.

Second, the California Legislature should consider repealing or updating all other California privacy laws that are now superseded by the CCPA, including the following:

  • Civ. Code § 1798.83 (Shine the Light) contains different disclosure requirements, definitions and specifications for website privacy policies, link placement and exceptions, which are now subsumed and superseded by the broader regime established by the CCPA.
  • Bus. & Prof. Code §§ 22575–22579, aka the California Online Privacy Protection Act, prescribes different disclosure requirements, definitions and rules for online privacy policies, which are subsumed and superseded by the CCPA, which applies offline and online.
  • Bus. & Prof. Code § 22584 and § 225845, the Student Online Personal Information Protection Act and Early Learning Personal Information Protection Act, protect the privacy of minors with disclosure and consent requirements, which are subsumed and superseded by the CCPA, which establishes parental consent and opt-in requirements for minors up to age 16.
  • Civ. Code § 1749.60, et seq. imposes restrictions on the sale of personal information collected by supermarkets in the context of club cards, which are outdated and subsumed by the broader CCPA.
  • The definitions, scope, requirements and liability provisions in Cal. Civ. Code §1798.82 (the existing breach notification law), Civ. Code §1798.90.5 (existing rules for automated license plate scan databases), and Cal. Civ. Code §1798.150 (CCPA liability provision) should be harmonized and streamlined to help businesses understand and comply with these related laws.

For privacy advocates and lawmakers, it is more exciting to create new privacy laws rather than revise the existing statutes. For businesses and other organizations, however, it is increasingly difficult or impractical to keep track of California’s myriad privacy laws (in addition to laws of other states and countries). For better or worse, the CCPA is extremely broad and prescriptive. Companies that undergo the process of establishing compliance with the CCPA over the next year should not also be required to analyze and apply dozens of additional California privacy laws with overlapping, inconsistent or outdated requirements pertaining to the collection and sharing of personal information. The best way to ensure that companies follow California’s new privacy laws is to make those laws as simple as possible. Investing in a little bit of code clean-up would assist in that new compliance challenge greatly. 

Please let me know if you have any questions or if I can be of any assistance. I am submitting this letter on behalf of myself, not behalf of my law schools, law firm, clients or others.

Best regards,

Lothar Determann
2 Embarcadero Center, 11th Floor
San Francisco, CA 94111
ldetermann@bakernet.com

Attachments, separately submitted:

  • biographical information
  • publications

Top image by Makaristos [Public domain], from Wikimedia Commons

1 Comment

If you want to comment on this post, you need to login.

  • comment Lothar Determann • Mar 21, 2019
    Many thanks for good comments received from fellow IAPP members after the IAPP published my draft open letter. Here is the final version I mailed on March 8, 2019:
    
    Re. California Consumer Privacy Law Corrections
    Dear Chairman Chau,
    As one of the principal commentators, scholars, teachers and advisors on California privacy law, I want to
    first congratulate you and the California Legislature on the passage of many innovative and cutting-edge
    information privacy and security laws over the years, making California one of the leading jurisdictions
    globally, as I frequently note in my publications and presentations.
    To maintain this leadership position, I respectfully recommend that you and your staff consider advancing
    a number of technical corrections to the California Consumer Privacy Act of 2018 ("CCPA") and to other
    California privacy laws that have become obsolete or redundant due to the passage of the CCPA. In
    making these recommendations, I do not mean to comment on any bills or proposals intended to
    substantively modify the CCPA.
    What I do propose in this letter are strictly technical corrections that are urgently necessary: necessary to
    rationalize and harmonize California’s myriad privacy statutes; necessary to keep California in its
    leadership role as one of the most advanced and innovative jurisdictions worldwide when it comes to
    information technologies and privacy laws; necessary to make a compelling case against broad federal
    statutory preemption; necessary to allow businesses to understand and comply with applicable law; and
    necessary to achieve the very purpose of privacy laws – to protect the personal information of the people
    of California. I would welcome an opportunity to meet with your staff to go over my proposals.
    First, the California Legislature should correct all remaining typographical and other manifest errors in
    the CCPA (the presence of which is understandable given the fast track legislative history and ballot
    initiative background), including the following:
     Cal. Civ. Code §1798.100(e) and Cal. Civ. Code §1798.110(d)(1) should be deleted as they
    contradict the remainder of the CCPA. These sections each state "This section shall not require a
    business to retain any personal information," but no provision of the CCPA requires any businessto retain any information, and the general approach of the CCPA is to encourage minimization of
    information collection/retention.
     In Cal. Civ. Code §1798.105(d)(1), the words "perform actions that are" should be inserted
    immediately before the words "reasonably anticipated."
     Cal. Civ. Code §1798.110(c)(5) states, "A business that collects personal information about
    consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of
    Section 1798.130: The specific pieces of personal information the business has collected about
    that consumer." In the interest of data privacy, "specific pieces of information" should not be
    disclosed in an online privacy policy, on the website of a company, but rather only "categories" of
    personal information as contemplated in 1798.110(c)(1). Accordingly, subsection 1798.110(c)(5)
    should be deleted.
     Cal. Civ. Code §1798.120(c) states "… the consumer is less than 16 years of age, unless the
    consumer, in the case of consumers between 13 and 16 years of age …." This results in an
    inconsistent rule for 16 year-olds, which could be avoided by revising the clause to read
    "consumer who is at least 13 but not yet 16 years of age."
     In Cal. Civ. Code §1798.125(a)(2) and (b)(1) "... value provided to the consumer by the
    consumer’s data" should be corrected to read "… value provided to the business by the
    consumer's data."
     The reference in Cal. Civ. Code §1798.140(b) to “an individual’s deoxyribonucleic acid (DNA)”
    is erroneous because DNA is not data but rather human material from which data can be obtained.
    This error could be corrected by deleting this reference, as information about DNA is covered
    sufficiently by other categories as "personal information."
     Cal. Civ. Code §1798.140(d)(7): The words "manufactured for" should be deleted from the
    phrase, "that is owned, manufactured, manufactured for, or controlled by the business."
     Cal. Civ. Code §1798.140(k): The definition of "Health insurance information" should be deleted
    as this term is not used elsewhere in the CCPA.
     In Cal. Civ. Code §1798.140(o)(2), the sentence, “‘Publicly available’ does not include consumer
    information that is deidentified or aggregate consumer information” should be corrected by
    replacing the term "Publicly available" with the term "Personal information."
     Cal. Civ. Code §1798.140(s)(9): In the sentence, "Subjected by the business conducting the
    research to additional security controls limit access to the research data to only those individuals
    in a business as are necessary to carry out the research purpose," the word "that" should be
    inserted immediately before the word "limit."
     Cal. Civ. Code §1798.140(o)(2) reads, "For these purposes, 'publicly available' means
    information that is lawfully made available from federal, state, or local government records, if
    any conditions associated with such information." The last phrase ("if any …") is incomplete and
    should be deleted.
     Cal. Civ. Code §1798.145(a)(6): The last sentence (including "shall not permit a business from
    storing") should be deleted.
     In Cal. Civ. Code §1798.145(c)(1)(B), the term "patient information" should be replaced by the
    term "personal information." If a business voluntarily protects any personal information as if it
    were subject to the strict rules of HIPAA or CMIA, it should not also have to comply with the
    CCPA. Also, the term "patient information" is not defined.Second, the California Legislature should consider repealing or updating all other California privacy
    laws that the CCPA subsumes, including the following:
     Cal. Civ. Code § 1798.83 (Shine the Light) contains different disclosure requirements, definitions
    and specifications for website privacy policies, link placement and exceptions, which are now
    subsumed by the broader regime established by the CCPA.
     Cal. Bus. & Prof. Code §§ 22575–22579, the California Online Privacy Protection Act
    (CalOPPA), prescribes different disclosure requirements, definitions and rules for online privacy
    policies, which are subsumed by the CCPA (applicable offline and online).
     Cal. Bus. & Prof. Code § 22584 and § 225845, the Student Online Personal Information
    Protection Act (SOPIPA) and the Early Learning Personal Information Protection Act (ELPIPA)
    protect the privacy of minors through disclosure and consent requirements, which are now
    subsumed by the CCPA's requirements for parental consent and opt-in consent from minors up to
    age sixteen.
     Cal. Civ. Code § 1749.60, et seq., the Supermarket Club Card Disclosure Act of 1999, imposes
    restrictions on the sale of personal information collected by supermarkets in the context of loyalty
    cards. Such restrictions are subsumed by the broader CCPA.
     The definitions, scope, requirements and liability provisions in Cal. Civ. Code §1798.82 (the
    existing breach notification law), Cal. Civ. Code §1798.90.5 (existing rules for automated license
    plate scan data bases) and Cal. Civ. Code §1798.150 (CCPA liability provision) should be
    harmonized and streamlined to help businesses understand and comply with these related
    obligations.
    For privacy advocates and lawmakers, it is more exciting to create new privacy laws than to revise the
    existing statutes. For businesses and other organizations, however, it is increasingly difficult or
    impractical to keep track of California’s numerous privacy laws (in addition to laws of other states and
    countries). For better or worse, the CCPA is extremely broad and prescriptive. Companies that establish
    compliance with the CCPA over the next year should not also be required to analyze and apply additional
    California privacy laws with overlapping, inconsistent or outdated requirements pertaining to the
    collection and sharing of personal information. The best way to ensure that organizations follow
    California’s new privacy laws is to make compliance with those laws as simple as possible. Investing in a
    measure of code clean-up would materially assist them in that new compliance challenge.
    Please let me know if you have any questions or if I can be of any assistance. I am submitting this letter
    on my own behalf, not on behalf of my law schools, law firm, clients or others.
    Best regards,
    Lothar Determann