My name is Mary Stone Ross. I was one of the original proponents and a co-author of the initiative that became the California Consumer Privacy Act, although I am no longer affiliated with Californians for Consumer Privacy.
I do not have the typical privacy advocate background. Previously, I served as a Central Intelligence Agency officer and later as counsel on the House Intelligence Committee. In that role, one of our responsibilities was to provide oversight over another surveillance program — the National Security Agency wiretapping program Edward Snowden so famously disclosed. Three years ago, as I started to research the amount of data private businesses collect, I found the private practices many times more intrusive, and yet — in contrast to the NSA program — there was very little oversight.
I found this terrifying. The obvious need for transparency and oversight inspired my approach to good privacy regulation.
The CCPA is a monumental step forward for consumers’ privacy; however, before the law goes into effect Jan. 1, 2020, it needs to be “cleaned up” — to use the rhetoric of the Sacramento crowd who collectively has introduced more than 40 new bills to amend the CCPA.
To help shed more light on my thinking here, these are the comments I delivered at the California Attorney General’s final public forum at Stanford, California. These are certainly not my only concerns about the CCPA, but I constrained my remarks to the areas that the attorney general statutorily can change.
[quote]I am here today to remind Attorney General Xavier Becerra and his office of our original intent inspiring the initiative: to give all Californians meaningful transparency into what personal information businesses are collecting about them and their devices and — unlike current privacy laws — make sure that the law could be enforced.
As you are aware, the "right to privacy" is a fundamental right protected by the California constitution, and the state has a clear interest in protecting the privacy rights of its citizens. Today, businesses can state their policies in vague terms, change them more or less at will, and offer very little, if any, privacy protections to consumers. The CCPA will change this and shift the balance of power more equally toward consumers, but there are ways that your office can make the protections even stronger.
Transparency — the "right to know" in the CCPA — is the cornerstone of the entire law. A consumer can only truly consent to the collection, use and the sale of their personal information — including the terms of service and privacy policies they readily click to agree to — if they understand what information is being collected. For example, if a flashlight app is, in fact, collecting precise geographic location, that should be clearly disclosed. Thus, the burden on consumers to make a verifiable request should be as low as possible.
I think that there should be two standards of verifiable requests: One, if a consumer is only requesting the categories of information a business is collecting; and a second, higher standard, if a consumer is requesting the specific pieces of personal information. It should be as easy as possible for a consumer to request the categories of information. It should also be legally clear that a consumer can exercise their right to know the categories of personal information without finding out the specific pieces. From a consumer privacy standpoint, it does make sense to have a much higher standard of verifiable request if a consumer is requesting the specific pieces of personal information. Further, since many businesses that do not have a direct relationship with a consumer still collect that consumer’s personal information, a consumer should be allowed to authorize a third party — including a nonprofit or another business — to opt out of the sale of their personal information on their behalf.
Definitions are critical. I agree with some of the criticisms of the CCPA that “household” is a vague and ill-defined term. However, it is necessary that a consumer be allowed to find out what personal information a business collects about their devices since, for example, my cellphone and watch travel with me everywhere and — from a data collection standpoint — are essentially me. I advise that the definition of personal information is changed to delete references to “households” and go back to the original reference of “individual consumer or device.”
We wanted to create a living law that could be updated as technologies changed, the lack of which was a failing in past privacy regulations. There is, therefore, a thoughtful burden on the attorney general’s office to continuously add to the categories of personal information. For starters, I would advise that “psychometric information” is added back to the categories of personal information, as defined by the initiative. As evidenced by the Cambridge Analytica scandal, this is clearly a category that consumers need to know.
Enforcement is key. I agree with the concerns raised by your office that the attorney general alone is not well positioned to be the sole enforcer of such a broad act. I encourage your office to work with Sacramento to allow, like the original initiative, enforcement by any district attorney or by any county counsel, city attorney or city prosecutor whose city or county meets certain population thresholds.
As written, the nondiscrimination provision is a mess and, in effect, is a non-nondiscrimination provision. I encourage your office to work with Sacramento to come up with guidelines on when a consumer can sell their personal information, with the understanding that privacy is not a commodity that only the wealthy should be able to afford. Consumers are in a position of relative dependence with respect to the technologies and many of the apps that we use. Businesses have considerable expertise and knowledge about the value and uses of our data. Therefore, in order for the consumer to give meaningful consent, the business should have the burden to clearly define the value provided to the business by the consumer’s data.
Finally, I want to remind all interested parties that privacy is good for business. When we drafted the initiative, we wanted to encourage businesses to comply. It was one of the reasons why we decided not to regulate the collection of personal information, as this too is a win for consumers.
I urge you to make your guidelines as clear as possible to ease the burden of compliance.[/quote]