PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

ALI Data Privacy: Overview and Black Letter Text — Available for Download

American Law Institute (ALI) Data Privacy 01

Professor Paul Schwartz and I have posted the black letter text of the American Law Institute (ALI), Principles of the Law, Data Privacy. Professor Paul Schwartz and I were co-reporters on the project.  Earlier this year, I wrote a post about our completion of the project.  According to the ALI press release: “The Principles seek to provide a set of best practices for entities that collect and control data concerning individuals and guidance for a variety of parties at the federal, state, and local levels, including legislators, attorneys general, and administrative agency officials.”

The project is an attempt to create a comprehensive approach to data privacy for the United States.  The project was 7 years in the making, and we’re thrilled finally to share the text.  We also wrote a short introduction to explain what various provisions are attempting to accomplish.  You can download it from SSRN for free.  Our piece is called ALI Data Privacy: Overview and Black Letter Text.

Here’s the abstract.

In this Essay, the Reporters for the American Law Institute Principles of Law, Data Privacy provide an overview of the project as well as the text of its black letter. The Principles aim to provide a blueprint for policymakers to regulate privacy comprehensively and effectively.

The United States has long remained an outlier in privacy law. While numerous nations have enacted comprehensive privacy laws, the U.S. has clung stubbornly to a fragmented, inconsistent patchwork of laws. Moreover, there long has been a vast divide between the approaches of the U.S. and European Union (EU) to regulating privacy – a divide that many consider to be unbridgeable.

The Principles propose comprehensive privacy principles for legislation that are consistent with certain key foundations in the U.S. approach to privacy, yet that also align the U.S. with the EU. Additionally, the Principles attempt to breathe new life into the moribund and oft-criticized U.S. notice-and-choice approach, which has remained firmly rooted in U.S. law. Drawing from a vast array of privacy laws and frameworks, and with a balance of innovation, practicality, and compromise, the Principles aim to guide policymakers in advancing U.S. privacy law.

The essay above consists of our short introduction and the black letter text.  The full document is 100+ pages long and is available at the ALI.  Right now, final proofreading and formatting are being done on the document, but you can obtain from ALI the near-final version.

Continue Reading

Cartoon: California Consumer Privacy Act

Cartoon California Consumer Privacy Act - TeachPrivacy Privacy Training 02 small

The privacy world has been abuzz with the passage of the California Consumer Privacy Act of 2018.  In June 2018, within just a week, California passed this strict new privacy law.  Some commentators have compared it to the GDPR, but it is a much more narrow law and is a far cry from the GDPR.  Nevertheless, it is a significant entry in California’s considerable canon of privacy laws.

For more on California privacy laws, see this collection compiled by the California Attorney General.

Continue Reading

California Consumer Privacy Act of 2018 Resource Page

In the period of just a week, California passed a bold new privacy law – the California Consumer Privacy Act (CCPA) of 2018. By January 1, 2020, companies around the world will have to comply with additional regulations related to the processing of personal data of California residents.

My California Consumer Privacy Act Resources page includes information about the CCPA including articles, news, blogs and more.

Continue Reading

California Privacy Law for the World: An Interview with Lothar Determann

For the first half of 2018, all eyes were focused eastward on the EU with the start of GDPR enforcement this May. Now, all eyes are shifting westward based on a bold new law passed by California. By January 1, 2020, companies around the world will have to comply with additional regulations related to the processing of personal data of California residents. Pursuant to the California Consumer Privacy Act of 2018, companies must observe restrictions on data monetization business models, accommodate rights to access, deletion, and porting of personal data, update their privacy policies and brace for additional penalties and statutory damages. The California Legislature adopted and the Governor signed the bill on June 28, 2018 after an unusually rushed process in exchange for the proposed initiative measure No. 17-0039 regarding the Consumer Right to Privacy Act of 2018 (the “Initiative”) being withdrawn from the ballot the same day, the deadline for such withdrawals prior to the November 6, 2018 election.

Below is an interview with Lothar Determann, a leading expert on California privacy law. He has a treatise on the topic: California Privacy Law (3rd Edition, IAPP 2018).

Continue Reading

The California Consumer Privacy Act of 2018

California Consumer Privacy Act of 2018

In the period of just a week, California passed a bold new privacy law — the California Consumer Privacy Act of 2018.  This law was hurried through the legislative process to avoid a proposed ballot initiative with the same name.  The ballot initiative was the creation of Alastair Mactaggart, a real estate developer who spent millions to bring the initiative to the ballot.  Mactaggart indicated that he would withdraw the initiative if the legislature were to pass a similar law, and this is what prompted the rush to pass the new Act, as the deadline to withdraw the initiative was looming.

The text of the California Consumer Privacy Act is here.  The law becomes effective on January 1, 2020.

California palm treesThere are others who summarize the law extensively, so I will avoid duplicating those efforts.  Instead, I will highlight a few aspects of the law that I find to be notable:

(1) The Act creates greater transparency about the personal information businesses collect, use, and share.

(2) The Act provides consumers with a right to opt out of the sale of personal information to third parties and it attempts to restrict penalizing people who exercise this right.  Businesses can’t deny goods or services or charge different prices by discounting those who don’t opt out or provide a “different level or quality of goods or services to the consumer.”  However, businesses can do these things if they are “reasonably related to the value provided to the consumer by the consumer’s data.”  This is a potentially large exception depending upon how it is interpreted. 

(3) The Act allows businesses to “offer financial incentives, including payments to consumers as compensation,” for collecting and selling their personal information.  Financial incentive practices cannot be “unjust, unreasonable, coercive, or usurious in nature.”   I wonder whether this provision will undercut the restriction on offering different pricing or levels of service in exchange for people allowing for the collection and sale of their information.  Through some clever adjustments, businesses that were enticing consumers to allow the collection and sale of their personal data through different prices or discounts can now restructure these into “financial incentives.”

Continue Reading