For the first half of 2018, all eyes were focused eastward on the EU with the start of GDPR enforcement this May. Now, all eyes are shifting westward based on a bold new law passed by California. By January 1, 2020, companies around the world will have to comply with additional regulations related to the processing of personal data of California residents. Pursuant to the California Consumer Privacy Act of 2018, companies must observe restrictions on data monetization business models, accommodate rights to access, deletion, and porting of personal data, update their privacy policies and brace for additional penalties and statutory damages. The California Legislature adopted and the Governor signed the bill on June 28, 2018 after an unusually rushed process in exchange for the proposed initiative measure No. 17-0039 regarding the Consumer Right to Privacy Act of 2018 (the “Initiative”) being withdrawn from the ballot the same day, the deadline for such withdrawals prior to the November 6, 2018 election.
In addition to being a partner at Baker & McKenzie, Lothar has taught data privacy law at many schools including Freie Universität Berlin, UC Berkeley School of Law, Hastings College of the Law, Stanford Law School, and University of San Francisco School of Law. He has written more than 100 articles and 5 books, including a treatise about California Privacy Law.
This October 3, Lothar will be leading a California Privacy Law Workshop at my event, the Privacy+Security Forum.
SOLOVE: In what ways is this law significant and innovative?
DETERMANN: With this law, California responds to growing public concerns regarding trading of personal data and data security breaches. The Internet as we know it today – with a large ecosystem of charge-free services, funded through behavioral advertising and data commercialization – was born and raised in California. Perhaps it will die here too.
Free bicycle maps, mobile navigation services, social networks and much more — all innovative online services that could never have scaled to critical mass if companies were forced to rely on subscription fees for and after the initial launch. Other established pay services, such as news and email were quickly replaced by charge-free offerings. Let’s face it, consumers like free stuff and have never actually cared much about privacy in the past. See Lothar Determann, Social Media Privacy: a Dozen Myths and Facts, 7 Stanford Technology Law Review (2012). Based on user statistics and company earning reports, I do not believe this has changed today – the new law hardly came from “the people.”
Perhaps the most significant and innovative component of the Act is its anti-discrimination provisions. Few, if any, U.S. privacy laws – or any other U.S. law for that matter – dictate how companies may calculate prices or allocate costs. The new law will prohibit companies from charging California residents for the costs of data access, deletion and mobility requests, or discriminate against consumers who make such requests or opt-out of data trading. This may effectively doom charge-free services, as companies may no longer be able to rely on data monetization revenue to scale their business, e.g., from behavioral advertising on news sites, retargeting for online stores, or mobility data from apps.
Significant also is the breadth of the statute: Companies in all industry sectors, anywhere in the world, are required to comply and with respect to any categories of persona data. This feature of the law, though, is not particularly innovative, as it largely catches up with European data protection regulation, which is also extremely broad in scope and definitions.
Also significant are additional statutory damages for data security breaches. For more details, see Lothar Determann, Be Wary of Liability for Statutory Damages under California Consumer Privacy Act, Bloomberg BNA Privacy Law Watch (July 09, 2018). These will have a huge impact on companies that find themselves victims of a cyberattack or data theft and that under this new law may now face class action lawsuits containing claims for statutory damages of up to $750 per consumer – even if no consumer suffered any actual harm. This concept is not entirely new. California included similar provisions in a data security law pertaining specifically to automated license plate scanners back in 2016.
Innovative, but of significance only to a limited subset of companies, are new thresholds exempting companies with lower revenues and who do not trade user data. Few other, if any, privacy laws exempt smaller companies in this manner, given that consumer privacy interests can be harmed equally by small and large companies alike. Still, the new law also contains broad regulatory restrictions, beyond what is necessary to protect individual privacy so it seems appropriate to exempt smaller companies and in fact the thresholds in the new law may not too low.
Finally, new rules pertaining to dual public / private enforcement are noteworthy: Plaintiffs attorneys will have to notify companies of violations first and then offer the case to the California Attorney General, who can either prosecute the case, veto private litigation, or let the private litigation proceed. Additionally, the California Attorney General is financially incentivized to enforce the new law through the establishment of a “Consumer Privacy Fund” which will offset costs incurred by State Courts and the Attorney General in the course of enforcing the law, financed by 20% of all penalties that the Attorney General collects. The new system seems intended to curb the worst consequences of enforcement by class action lawsuits. At the same time, it also provides for private rights of action, statutory damages and penalties, all of which are expected to maintain pressure on companies through an active plaintiff’s bar.
SOLOVE: The law was very hastily drafted and has many areas that are confusing and unclear. What are some of the problems you have identified with the law?
DETERMANN: The law has numerous inconsistent and unclear provisions, which will hopefully be addressed in corrections during the next few months.
For example, instead of referring to the established definition of “security breach” as codified in other parts of the California Civil Code, the new Section 1798.150(a)(1) refers to “unauthorized access and exfiltration, theft, or disclosure.” While the qualifier “unauthorized” makes sense to limit “access, exfiltration and disclosure” it does not in the case of “theft.” Also, grammatically, “unauthorized” could be read to qualify only “access and exfiltration.” If this were the case though, any disclosure, even if authorized, could trigger statutory damages. Also, the concept of precluding statutory damages if a breach is cured (as in California Civil Code §1798.150(b)(1), while a good idea in principle, does not seem appropriate in the context of data security breaches, which can hardly ever be undone.
Perhaps an even bigger problem is that the new requirements are duplicative or inconsistent with disclosure and other requirements contained in the numerous existing California data privacy laws. The California Legislature should immediately revisit all existing California data privacy laws and abolish, or at a minimum, align and simplify sector and harm-specific privacy laws that require notice and consent in various forms and with nuanced requirements. In my practical guide and commentary, California Privacy Law (3rd edition, 2018), I cover hundreds of California and Federal privacy laws and my initial sense is that many of these can and should be repealed or simplified to align with the new provisions in the California Consumer Privacy Act.
SOLOVE: Are there any parts of the law that you find particularly praiseworthy or problematic?
DETERMANN: My personal view is that the broadened requirement for all companies and industries to provide notices regarding their data handling practices is appropriate and could simplify compliance if California repeals all the sector and situation-specific notice requirements, e.g., regarding website privacy policies (California Online Privacy Protection Act), direct marketing (Shine the Light Law), automated license plate scanners, etc.
I am not sure that data access and portability requirements are as crucial and worth the cost to society and consumers as a whole. If companies are forced to offer such rights, they should be able to charge those who make requests for the resulting costs. Companies should not be forced to abandon charge-free service offerings or raise prices for all customers to accommodate a subset population with special interests in data privacy or unrelated agendas. Most data access requests I have seen clients subjected to since GDPR came into effect were initiated by journalists, activists, IT contractors, disgruntled employees and consumers who had an entirely unrelated beef with the company, such as overdue bills being handed off to collection agencies or limitations on the use of gift cards accross physical and online stores.
Besides the statutory damages and “anti-discrimination” regulations we already covered earlier in this interview, perhaps the most problematic provision is the right to data deletion. The “right to be forgotten” is a conceptually pathetic obsession of politicians, who should strive to be remembered. Most people are sufficiently protected against harmful speech by existing laws prohibiting defamation, copyright infringement and various other forms of illegal communications. Granting broad deletion rights creates a slippery slope to “data minimization” as a principle.
The European goal of “data minimization” is hopelessly outdated – from the 1970s – irrespective of it being regurgitated in the GDPR. We need more – not less – information to make sound policy decisions, train artificial intelligence, enable autonomous cars to recognize people, improve medicine, etc. Where abusive data handling practices cause actual harm, governments should pass laws to address such harm and prohibit abusive practices. But, it is far too simplistic to prohibit all processing of personal data as a default position – as the GDPR does – or grant broad deletion rights – as the GDPR and now also the California Consumer Privacy Act both do.
The data genie is already out of the bottle, we cannot put it back in. If we are worried about bad things that companies or governments might do with personal data, then we need to tackle such bad things whatever they may be – undesirable differentiation in insurance tariffs, hiring practices, service offerings, etc. Data processing and trading as such is neutral and can have positive effects for data subjects, such as better planning, product development, anti-discrimination efforts, more relevant marketing, etc.
If we overly restrict data processing simply because it is in some way related to these bad practices, then we act like the drunk who searches for his key under a street lamp, even if he lost it somewhere else, because he thinks it is easier to search with light. If we attempt to prohibit personal data processing altogether as a default, we are tilting at windmills instead of tackling today’s real problems.
SOLOVE: What advice would you give to companies regarding compliance with the law?
DETERMANN: First of all, I would refer companies back to the point I made in our last interview (Beyond GDPR): Businesses need to assess holistically how they can align or combine compliance efforts to address the new California law with the same efforts they make to comply with EU GDPR and other countries’ laws.
Secondly, companies have to conduct a detailed assessment of whether and how they are affected. They should start now, because some provisions require potentially significant changes to business models and technical implementations.
Thirdly, companies should follow legislative developments closely. The California Legislature has a lot of clean-up to do, and there is also potential for federal preemption.
Last but not least, companies should consider whether they can and should treat Californians differently from people in other U.S. states and other countries going forward. Under the new law’s anti-discrimination provisions, companies have to treat all Californians the same. But, they are free to levy or increase charges only for Californians, set up California-only websites or stop doing business in California. Many options are theoretically available, although companies will of course need to bear in mind that California’s economy is now the 5th largest in the world, behind only the USA as a whole, China, Japan and Germany.
SOLOVE: What kind of impact do you think that this law will have?
DETERMANN: Companies face significant additional penalties, statutory damages, compliance costs, technical complexities and administrative burdens. Smaller companies will struggle. As a result of the law, we may see fewer start-ups founded and based in California, fewer innovative charge-free service offerings, higher prices for online services, and a greater number of nuisance requests and lawsuits.
Consumers will see more charges, even longer and more detailed privacy notices, including different versions for different jurisdictions, and perhaps different websites and interfaces to accommodate local compliance requirements and enable differentiated pricing.
Politicians may again now see a need to push for a federal privacy law that streamlines and simplifies the highly divergent state laws in this field – provided it were to preempt state privacy laws. If that happens, we may see an ossification of privacy laws, as federal law is more difficult to change, and U.S. privacy laws may follow the fate of EU data protection laws which took 23 years to update and in principle still look very much like laws from the 1970s.
SOLOVE: What do you think the reaction of the EU will be to this law?
DETERMANN: Different groups in Europe will have different reactions:
The European Commission should consider an adequacy finding for California based on this law. The new California Consumer Privacy Act protects directly only residents of California, but it furthers what is already a relatively strong level of privacy protections in California that meets or exceeds the de facto level in many European countries as well as other countries that have received adequacy findings, such as Argentina, Canada, Israel, New Zealand and Uruguay. But, it would take quite a political effort to conduct an honest comparative assessment, a concept that has been less popular at the EU level than the reflexive U.S. privacy-bashing more common in the EU Parliament. See Lothar Determann, Adequacy of data protection in the USA: myths and facts, International Data Privacy Law, 2016; doi: 10.1093/idpl/ipw011.
European companies, on the other hand, may to some extent welcome a leveling of the playing field: California laws tend to be enforced first and foremost against California and U.S.-based companies (even if they technically apply worldwide), which will disproportionally affect companies in Silicon Valley and elsewhere in the United States. This, in turn, may create opportunities for companies in Europe, which have been hampered by excessive data regulation for the last several decades, and even more so in Asia, where data privacy laws have been far less restrictive to date.
The German government may reconsider its recent initiative to create data ownership rights in furtherance of efficient data trading (see my paper ‘No one owns data‘) given that Germany is proud of its particularly strict national laws and history. My home state Hessen passed the first-ever data protection law in 1970 and started the trend worldwide.
SOLOVE: Thanks, Lothar, for your great insights! This October 3, Lothar will be leading a California Privacy Law Workshop at my event, the Privacy+Security Forum. I strongly recommend that you sign up, as you’ll learn about the California Consumer Privacy Act in the context of California’s many other privacy laws.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 3-5, 2018 in Washington, DC), an annual event designed for seasoned professionals.
This post was originally posted on LinkedIn.
Learn all about the new CALIFORNIA CONSUMER PRIVACY ACT of 2018 at the California Privacy Law Workshop (Oct 3 at the Privacy+Security Forum) with Lothar Determann