From the land of Silicon Valley comes privacy regulations that may have a tremendous impact on how tech companies use and share your data.
Modelled largely off the EU’s GDPR, the California Consumer Privacy Act (CCPA) is the largest and most comprehensive online privacy regulation passed in the United States to date. The regulation provides California residents extensive rights over what personal information companies collect, how the information is used, and even gives consumers the right to opt-out of data collection all together.
The bill was passed into law in September 2018 and goes into effect this coming January. With the door fast closing, the race is on to add amendments and further clarifications to the new law. Last Tuesday, California Senate’s Judiciary Committee voted on a series of new amendments that could limit the scope of the CCPA.
Here is a brief primer on the three most contested amendments and their fate in last Tuesday’s hearing.
This amendment proposes that business should be able to sell personal information even if consumer has opt-ed out if the sale is “for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity.” The amendment worried many privacy experts, who considered it to open major loopholes in the regulation. Specifically, according to one commentator, the bill would “would chip away at the rights of Californians by allowing law enforcement to get around existing warrant requirements to access personal information.”
The bill was withdrawn by the author, Assemblyman Ken Cooley, at the last minute and so no vote was taken. However, according to some reports, it’s possible to bill will reappear for a vote next year, after the law has gone into effect.
This amendment would exclude any de-identified data from the scope of the regulation. The real issue, however, is that bill lowers the threshold of what information is understood as de-identified. According to the amendment, data such as I.P. addresses and browser fingerprints would now be considered as de-identified information. However, according the senior counsel for policy and privacy at Common Sense Media, Ariel Fox Johnson, that information could potentially be used to re-identity data to specific users. “Deidentification is not a privacy protective technique if deidentified information can identify you.”
The vote on the amendment was split 3-3, so the bill did not pass. However, the bill’s author was granted reconsideration, so it is possible another vote on the amendment will be taken before the end of the summer.
Another proposed amendment takes aim at restrictions on employers. As Bloomberg Law reports, the bill “would exempt personal information employers have about their employees from the privacy law’s requirement that it be disclosed or deleted upon request.”
The bill passed with 8-0 votes in favor, but with added changes that still require employers to inform employees about the types of information they are collecting about them and why.
The California legislature has until September 13, 2019 to pass bills amending the CCPA. Any bills up for reconsideration must still pass a vote in the Senate’s Judiciary Committee. All approved bills will then move to the Committee on Appropriations for a vote in August, to be followed by a vote of the full Senate.
While it is likely some of these changes will go into effect, the results of the Judiciary Committee’s hearing make clear that the main purpose of the CCPA will remain intact. As a result, businesses should be taking this bill seriously and begin looking into what processes will need to be implemented in order to comply with these new regulations.