CA Dems Defend CCPA Against Preemption; California Holds CCPA Hearing on Changes
Politico reported this week that there is an obstacle in Congress to efforts to preempt the California Consumer Privacy Act – House Democrats from California. They appear ready to defend the CCPA against federal preemption and given Democrat control of the U.S. House of Representatives, could play a substantial role in the creation of a new federal privacy law.
The article says:
“Lately, however, California Democrats have been firmer in their outright opposition to crafting any federal law that either overrides or does anything short of replicating, and possibly expanding upon, their state’s law.”
The article calls House Speaker Nancy Pelosi, a Democrat representing California, “another factor to watch” as the debate about a federal privacy law plays out. Given the push from California to keep the law, where even members of the state GOP are arguing against preemption (in a recent letter to the leaders of the House Energy Committee and Senate Commerce Committee), and Californians for Consumer Privacy meeting with members of the legislative delegation, this could restrict the ability of Congress to reach a bipartisan compromise that is supported by industry as well.
The article also reported that talks between the parties have stalled:
“Members of both parties acknowledged that the preemption question is among the thorniest under discussion in legislative talks, which have already stalled relative to optimistic early projections. Senate negotiators had hoped to unveil a data privacy draft bill early in 2019, but week after week has slipped by without any release. The negotiators now say it’s unlikely a draft emerges by the end of February, when both Senate and House panels will hold their first hearings on the topic.”
The first Congressional hearings of the year on data privacy will be happening next week. The Senate Commerce Committee panel was announced and consumer groups have already object to the fact that the panel solely includes industry representatives. The panel on Wednesday includes:
President and Chief Executive Officer, Internet Association
Chief Operating Officer, Retail Industry Leaders Association
President and Chief Executive Officer, BSA – The Software Alliance
Co-Chairman, 21st Century Privacy Coalition
Chief Executive Officer, Interactive Advertising Bureau
Meanwhile, the California State Privacy and Consumer Protection Committee on Wednesday had its first hearing on the CCPA this year. Assemblymember Ed Chau, a sponsor of the California Consumer Privacy Act last year, confirmed that he expects additional cleanup legislation this year on CCPA. At the outset of the hearing, he said that there is common ground and surgical changes that can be made that do not rollback consumer protections. Later, he said, “Many of the issues that we have heard today are on our radar…. The list keeps growing a little bit as we go…[M]any of the issues that have been raised are legitimate concerns that we will be looking into as we go ….”
One of the more interesting segments of the hearing was to listen to the Chair of Californians for Consumer Privacy speak about the logic behind some of the sections of the law. For example, he suggested on the law’s application to small businesses that collecting IP addresses alone would not be enough to trigger right to access. The basis for this reading appeared to be that IP alone was insufficient to identify a person, harkening back to the pre-GDPR interpretation of PII. Under GDPR, IP address is generally considered an example of personal identifiable information. Several members of the panel that followed in the hearing disagreed with the interpretation of the law that there was any ambiguity that IP address would be covered in the definition of a business.
He also described 3 safe harbors to the private right of action:
1. Encrypt Data
2. Redact Data
3. Set reasonable security procedures.
When asked specifically about the third safe-harbor, he pointed to California’s existing law on the subject – Cal Civ. Code § 1798.81.5.
The representative from the California Attorney General’s Office also spoke about the rulemaking process but did not issue any guidance about specific provisions of the law yet. She said specifically that such comments would be inappropriate while they were in the process of drafting the CCPA regulations. She did, however, reiterate several points from a previous letter sent by the AG to the legislature on unworkable obligations and serious operational challenges posed by the law. She pointed to three problem areas:
1. Guidance provision
2. Right to cure (“get out of jail free card”)
3. Limited private right of action.
The Guidance provision allows “[a]ny business or third party to seek the opinion of the Attorney General for guidance on how to comply” with the CCPA. The Attorney General’s letter to the legislature in August of last year said that requiring it to provide legal counsel to business at taxpayer expense was an “unprecedented obligation of using public funds to provide unlimited legal advice”. He also said that it creates a “potential conflict of interest” by providing for advice to potential lawbreakers.
The objection to the right to cure does not appear to be in the prior letter, although the objection itself has been made pretty clear. The Attorney General does not want to give businesses the 30 day opportunity to correct any CCPA violations.
In advocating for a more expansive private right of action, the Attorney General appears to be looking to take some of the enforcement burden off of itself and allow consumers to take independent action. A broader private right of action is a part of a few different proposed privacy laws, and was originally part of the CCPA but was revised before AB-375 was adopted by the California legislature. SB-1121 subsequently made clear that the intent was not to have a broad civil action provision in the California’s privacy law.
There were a number of panelists and public speakers during the comment period as the hearing went on for about three hours. Here are a few of the comments that we pulled out of it for the Clarip Twitter feed:
Frankfurt Kurnit Partner: The CCPA is even more complex and challenging than the #GDPR …. All companies doing business in California are not ready…. There are going to need to be some changes to the timeline for compliance to be realistic.
Chief Privacy Officer of Square: It could be helpful to harmonize #CCPA PI definition to #GDPR definition personal data definition.
Rep. for CA Chamber of Commerce: State investment in resources … for advisory opinions to businesses on how to comply … would be money well spent …. These kinds of educational approaches will be far more efficient use of resources than costly enforcement actions.
Rep from Internet Association: Asking for amendment to clarify that data flow on IP, browser type, cookies, is not considered a sale of personal information under #ccpa.
Among concerns of Association of National Advertisers: Household access to information problematic; needs nuanced deletion and opt-out choices.
Rep. of Association of CA School Administrators: Exclude records within school district control covered by current regulations.
Rep of Nonprofit Alliance: Worried nonprofits will bear the burdens of cost pressures created by the law.
Rep of National Payroll Reporting Consortium: Concerned broad definition of consumers would apply to employees and lead to unintended consequences.
Rep. of Consumer Reports: Consumers have repeatedly made it clear that they want more, not fewer protections and certainly this legislation is a step in the right direction. Changes suggested include 1) data minimization, and 2) improvement of right to cure.
Rep of Consumer Data Industry Association: Wants to make sure that fraud tools are not compromised and credit reports are treated appropriately.
Other Relevant Posts:
Next Stop for CCPA Amendments AB-25 and AB-874 is an Assembly Floor Vote
Highlights of the CA Privacy Committee Hearing Yesterday on CCPA Amendments
How to Prepare for CCPA Compliance Given the Uncertain Amendments and Regulations
CCPA Amendments to be Heard in April 23rd California Assembly Privacy Committee Hearing
Senate Judiciary Committee Recommends SB 561, the Expanded CCPA Private Right of Action
Latest on the Proposed CCPA Amendments
AB-25 Proposes CCPA Amendment to Exclude Employees from New Privacy Law
CCPA Regulation Recommendations by EFF to CA Attorney General
Highlights of CCPA Rulemaking Comments by IAB and ANA
CCPA Amendment & Consumer Privacy Bills in California legislature in Feb. 2019
California AG Supports Proposed CCPA Amendments in SB 561
California GOP Defend CCPA Against Federal Preemption
More Technical Amendments Suggested for CCPA; CA GOP Introduce Another Privacy Bill
Advertising & Marketing Groups Send AG Letter Seeking Flexibility on CCPA