Privacy by design — or “Data Protection by Design” as it is referred to in the General Data Protection Regulation (GDPR) — is essential to meaningful privacy protection. Yet, it is often quite thin and incomplete. As I wrote a few years ago about privacy by design, “The ‘privacy’ the designers have in mind might be so focused on one particular dimension of privacy that it might overlook many other dimensions.”
The privacy world has been abuzz with the passage of the California Consumer Privacy Act of 2018. In June 2018, within just a week, California passed this strict new privacy law. Some commentators have compared it to the GDPR, but it is a much more narrow law and is a far cry from the GDPR. Nevertheless, it is a significant entry in California’s considerable canon of privacy laws.
For more on California privacy laws, see this collection compiled by the California Attorney General.
In the period of just a week, California passed a bold new privacy law – the California Consumer Privacy Act (CCPA) of 2018. By January 1, 2020, companies around the world will have to comply with additional regulations related to the processing of personal data of California residents.
My California Consumer Privacy Act Resources page includes information about the CCPA including articles, news, blogs and more.
For the first half of 2018, all eyes were focused eastward on the EU with the start of GDPR enforcement this May. Now, all eyes are shifting westward based on a bold new law passed by California. By January 1, 2020, companies around the world will have to comply with additional regulations related to the processing of personal data of California residents. Pursuant to the California Consumer Privacy Act of 2018, companies must observe restrictions on data monetization business models, accommodate rights to access, deletion, and porting of personal data, update their privacy policies and brace for additional penalties and statutory damages. The California Legislature adopted and the Governor signed the bill on June 28, 2018 after an unusually rushed process in exchange for the proposed initiative measure No. 17-0039 regarding the Consumer Right to Privacy Act of 2018 (the “Initiative”) being withdrawn from the ballot the same day, the deadline for such withdrawals prior to the November 6, 2018 election.
Below is an interview with Lothar Determann, a leading expert on California privacy law. He has a treatise on the topic: California Privacy Law (3rd Edition, IAPP 2018).
This cartoon is about the GDPR’s right to data portability under Article 20. This right allows data subjects to take their data from one organization and transfer it easily to other organizations. Pursuant to the GDPR Article 20:
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
The U.S. Supreme Court recently issued a decision in Carpenter v. United States, an important Fourth Amendment case that was eagerly awaited by many. The decision was widely cheered as a breakthrough in Fourth Amendment jurisprudence — hailed as a “landmark privacy case” and a “major victory for digital privacy.” In the NY Times, Adam Liptak referred to Carpenter as a “major statement on privacy in the digital age.”
Although I agree with the outcome of the decision, I ultimately find it to be disappointing. True, the Supreme Court finally took a step forward to bring the Fourth Amendment more in line with the digital age. But this was only a step in the year 2018, when the Court should have walked more than a mile.
Despite the fact that the various opinions in Carpenter total 119 pages, Carpenter only resolves a narrow issue and leaves many open questions. When something is the length of a Tolstoy novel, the plot should advance quite a lot more. The basic holding of the case is that the Fourth Amendment applies when the government “accesses historical cell phone records that provide a comprehensive chronicle of the user’s past movements.” But a lot more was at stake in the case. This was the prime opportunity of the Court to overrule the Third Party Doctrine, under which the Court has held that that there is no reasonable expectation in privacy for information known or exposed to third parties. The Third Party Doctrine was forged in the 1970s in cases involving bank and phone records. In United States v. Miller, 425 U.S. 435 (1976), the Court held that there is no reasonable expectation of privacy in financial records maintained by one’s bank because “the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities.” In Smith v. Maryland, 442 U.S. 735 (1979), the Court concluded that there was no reasonable expectation of privacy when the government obtained a list of phone numbers a person dialed from the phone company because people “know that they must convey numerical information to the phone company” and cannot “harbor any general expectation that the numbers they dial will remain secret.”
As I argued in an earlier post about Carpenter, the Third Party Doctrine is deeply flawed and eviscerates Fourth Amendment protection in today’s digital age where so much of our information is in the hands of third parties. Carpenter would have been the ideal case to get rid of the Third Party Doctrine. Instead, the Supreme Court did what it has often done in recent years — tiptoe weakly like a mouse, nibbling around the edges of issues rather than directly resolving them. Rather than overrule Smith and Miller, the Carpenter Court just stated that these cases don’t apply to cell-site location records: “We decline to extend Smith and Miller to cover these novel circumstances. Given the unique nature of cell phone location records, the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection. ” This is a partial victory, as the Third Party Doctrine finally has a stopping point, but there are an endless series of situations involving the Third Party Doctrine, and the Court has provided scant guidance about when the Third Party Doctrine will apply.
In the period of just a week, California passed a bold new privacy law — the California Consumer Privacy Act of 2018. This law was hurried through the legislative process to avoid a proposed ballot initiative with the same name. The ballot initiative was the creation of Alastair Mactaggart, a real estate developer who spent millions to bring the initiative to the ballot. Mactaggart indicated that he would withdraw the initiative if the legislature were to pass a similar law, and this is what prompted the rush to pass the new Act, as the deadline to withdraw the initiative was looming.
The text of the California Consumer Privacy Act is here. The law becomes effective on January 1, 2020.
There are others who summarize the law extensively, so I will avoid duplicating those efforts. Instead, I will highlight a few aspects of the law that I find to be notable:
(1) The Act creates greater transparency about the personal information businesses collect, use, and share.
(2) The Act provides consumers with a right to opt out of the sale of personal information to third parties and it attempts to restrict penalizing people who exercise this right. Businesses can’t deny goods or services or charge different prices by discounting those who don’t opt out or provide a “different level or quality of goods or services to the consumer.” However, businesses can do these things if they are “reasonably related to the value provided to the consumer by the consumer’s data.” This is a potentially large exception depending upon how it is interpreted.
(3) The Act allows businesses to “offer financial incentives, including payments to consumers as compensation,” for collecting and selling their personal information. Financial incentive practices cannot be “unjust, unreasonable, coercive, or usurious in nature.” I wonder whether this provision will undercut the restriction on offering different pricing or levels of service in exchange for people allowing for the collection and sale of their information. Through some clever adjustments, businesses that were enticing consumers to allow the collection and sale of their personal data through different prices or discounts can now restructure these into “financial incentives.”
This cartoon is based on a fairly recent trend – countries that are requiring data localization. Data localization involves requirements that personal data collected in a certain country reside on servers within that country’s borders.
Here are some articles on data localization worth looking at:
• Bret Cohen, Britanie Hall, and Charlie Wood, Data Localization Laws and their Impact on Privacy, Data Security, and the Global Economy (ABA Antitrust)
• Manuel Maisog, Making the Case Against Data Localization in China (IAPP)
• Jyoti Panday, Rising Demands for Data Localization a Response to Weak Data Protection Mechanisms (EFF)
Co-Authored by Prof. Woodrow Hartzog
On Wednesday, the U.S. Court of Appeals for the 11th Circuit issued its long-awaited decision in LabMD’s challenge to an FTC enforcement action: LabMD, Inc. v. Federal Trade Commission (11th Cir. June 6, 2018). While there is some concern that the opinion will undermine the FTC’s power to enforce Section 5 for privacy and security issues, the opinion actually is quite narrow and is far from crippling.
While the LabMD opinion likely does have important implications for how the FTC will go about enforcing reasonable data security requirements, we think the opinion still allows the FTC to continue to build upon a coherent body of privacy and security complaints in an incremental way similar to how the common law develops. See Solove and Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014).
For global organizations as well as organizations in the EU, the GDPR has brought significant attention and resources to privacy. Finally, many executives are beginning to take privacy seriously. As I recently wrote in my article, Prime Time for Privacy, at Bloomberg Law:
The GDPR has taken privacy to the next level. Before the GDPR, nothing had fully gelled around what protecting privacy actually entailed. The consequences of poor privacy were also rather vague in many cases. There was no clear blueprint for protecting privacy. Organizations would do just one or two things, such as provide a notice of privacy practices and keep data secure, and then claim they were protecting privacy. But they were only doing a fraction of what was truly needed to protect privacy.
The GDPR has changed all that. It provides a blueprint for protecting data that is more thorough and complete than nearly any other privacy law. The GDPR contains provisions that require governance measures, data mapping, assessment, data protection by design, and vendor management, among other things. It provides for individual rights such as the right to access one’s data, the right to request restrictions on data use, the right to be forgotten, and the right to data portability. The GDPR has a broad definition of personal data, and it applies across different industries, so it provides a comprehensive baseline of privacy protection.
Now, privacy professionals can point to a definitive source of the various norms, best practices, standards, and rules that have long existed in fragmentary form. The GDPR has penalties that will keep the CEO awake at night. Privacy professionals can point to it and say, “This is what we need to do, and this is why.”