The California Consumer Privacy Act (CCPA) was enacted in 2018 and goes into effect in 2020. Throughout 2019, EFF and our privacy coalition allies beat back numerous attempts by big business to block this important law before it goes into effect. We did so in the California Legislature, in Congress, and in the administrative rule-making process. We will keep doing so in 2020. In fact, we will work to make CCPA even stronger.
What is CCPA?
CCPA gives consumers three legal rights against businesses. First, consumers have a right to know, that is, to learn what personal information a business has collected about them. This includes access to specific pieces of data. It often includes “portability,” meaning the ability to obtain the data in a usable format. It also includes disclosure of the categories of data sources, the categories of data destinations, and the purpose of collection.
Second, consumers have a right to delete the personal information a company has collected from them. There are exemptions, including when deletion would interfere with another consumer’s free speech.
Third, consumers have a right to opt-out from sale of their personal information. For consumers that a business knows are younger than 16, sale is prohibited absent opt-in consent. Further, a third party cannot re-sell data, absent notice to the consumer and an opportunity for the consumer to opt-out.
CCPA also prohibits companies from retaliating against consumers who exercise their CCPA rights, such as charging a higher price or offering service of a lower quality, unless such differences are reasonably related to the value of the data at issue. CCPA grants exclusive enforcement power to the California Attorney General, except that consumers can sue companies for certain data breaches. Businesses must publish generalized notices of their data practices, provide multiple means for consumers to make requests, and display a “do not sell” link on their websites. CCPA applies to for-profit businesses in California that cross a size threshold: those that make $25 million in annual revenue, 50% of annual revenue from data sales, or data from 50,000 consumers. CCPA has various exemptions, including data that is aggregated, deidentified, or lawfully obtained from the government.
Americans need much more protection of our personal information. For example, CCPA should be amended: to add enforcement by a consumer’s private cause of action; to delete authorization of “pay for privacy” schemes; to add a business duty to minimize data processing to what is reasonably necessary to provide the customer with what they asked for; and to change the default on data sales from opt-out consent—where sale is presumed—to opt-in consent—which presumes sale is prohibited. We tried in 2019 to pass two bills that would have strengthened CCPA: A.B. 1760, sponsored by Assemblymember Buffy Wicks, and S.B. 561, sponsored by Senator Hannah-Beth Jackson. We did not succeed.
Still, a comprehensive consumer data privacy law should include the rights to know, to delete, and to opt-out of sales. So CCPA is a good start.
Defending CCPA in the California Legislature
That’s why many business groups spent much of 2019 trying to gut CCPA in the California legislature, before it goes into effect on January 1, 2020. A coalition of consumer privacy groups defeated these bills, including EFF, ACLU, CALPIRG, Center for Digital Democracy, Common Sense Media, Consumer Action, Consumer Federation of America, Consumer Reports, Media Alliance, Oakland Privacy, and Privacy Rights Clearinghouse.
To cite just two of the many bills we successfully opposed:
- S.B. 753 (Stern) would have created a new exemption from the right to opt-out of data sales for surveillance-based online ads. Yet the third-party tracking that fuels such adtech is one of the greatest menaces to consumer data privacy. So this bill was like (in the words of our friend Jake Snow at ACLU) a coal mining exception from environmental protection laws.
- A.B. 1416 (Cooley) would have exempted the disclosure of data to government agencies from all CCPA protections. This would have fueled continued collection of personal information from everyone, to create private databases to sell to the government. Such collection has many hazardous applications. For example, U.S. Immigration and Customs Enforcement obtains personal data from third parties that it uses to locate people it wants to deport.
Rather than openly seek anti-privacy changes to CCPA, big businesses often let their trade associations do their dirty work. For example, the Internet Association ran misleading ads on social media promoting amendments to weaken CCPA, and spent $176,000 to lobby the California Legislature in just the second quarter of 2019. The Internet Association is made up of dozens of the biggest companies that harvest and monetize personal information, including Facebook and Google. Those two companies declined to comment for a news story about the Internet Association’s advocacy against CCPA. Thus, EFF believes that individual businesses should be held responsible for the advocacy of their trade associations, unless they distance themselves from that advocacy.
At the end of its 2019 session, the California Legislature enacted a package of minor amendments to the CCPA: A.B. 25 (Chau), A.B. 874 (Irwin), A.B. 1146 (Berman), A.B. 1355 (Chau), and A.B. 1564 (Berman). The privacy coalition did not oppose these bills, and the Governor signed them. These bills corrected CCPA typos and added a few narrow exemptions, among other modest changes.
Defending CCPA in Congress
As soon as business groups failed to gut CCPA in the California Legislature, they redoubled their efforts to gut CCPA in Congress. The Internet Association, the Business Roundtable, and TechNet each called anew for federal consumer data privacy legislation—but with a poison pill.
These groups aren’t trying to limit their own business models, which extract profit by intruding on our privacy. Rather, they seek federal “preemption” of state laws. That is, these business groups want a federal law that would block enforcement of state laws. EFF strongly opposed these most recent corporate demands for preemption. While EFF supports federal legislation that actually protects consumer data privacy, we have long opposed doing so if the price is preemption of stronger state laws.
States are “laboratories of democracy.” California is not alone in innovating new approaches to consumer data privacy. For example, Vermont recently required data brokers to publicly register, and Illinois requires informed opt-in consent before businesses collect biometrics.
Defending CCPA in the Rule-Making Process
CCPA requires the California Attorney General to make rules regarding the law. Many business groups have sought to use this administrative rule-making process to weaken CCPA. For example, the Association of National Advertisers asked the Attorney General to expand “pay for privacy,” to expand re-sale of consumer data, and to restrict the definition of “personal information”—and thus the scope of all CCPA protections.
In October 2019, the California Attorney General published draft regulations and invited further public comment. They are a good step forward, but the final regulations should go further.
In December 2019, EFF and the privacy coalition submitted comments about the Attorney General’s proposed regulations. We urged the Attorney General to expand the privacy protections, to maintain its pro-privacy draft rules, and to remove a few proposals that would be a step backwards.
The draft regulations contain some of the suggestions EFF submitted in March 2019. A significant CCPA issue is “verification,” meaning how a business ensures that a requester is actually a particular consumer. We suggested, for example, that if a request for access or deletion is made through a password-protected account, the business should require the requester to log-out and log back in, to be sure the requester is not an adversary who controls the account but does not know the password—as when a thief steals an unlocked laptop with open apps. The draft regulations contain this rule.
We also suggested that consumers should be able to opt-out of data sales by means of an online browser header, along the lines, for example, of the “do not track” system. The Attorney General agreed.
A New California Privacy Initiative
The California Legislature adopted CCPA in June 2018 in response to a ballot initiative sponsored by Alastair Mactaggart. He had recently obtained enough petition signatures to place the initiative on the ballot. He agreed to remove the initiative from the November 2018 ballot, in exchange for passage of CCPA.
In October 2019, Mr. Mactaggart filed a draft of a new initiative that would extensively amend CCPA. The privacy coalition published a list of ways to strengthen the initiative. In November 2019, he filed the final version of the new initiative. It contains some of privacy coalition’s suggestions, but not most of them. Compared to CCPA, it represents steps forward, steps backward, and steps not taken. Ultimately, the California Legislature must do much more to strengthen CCPA.
Unfortunately, we can expect more attacks on CCPA from big business in 2020. As in 2019, we expect anti-privacy bills in California, and preemption bills in Congress. Businesses groups might also bring a legal challenge to CCPA.
We will continue to defend CCPA. We will also work hard in 2020 to persuade the California Legislature to strengthen CCPA. In particular, we will advocate for new limits on how businesses collect and use personal information, and better CCPA enforcement. Please help us, by registering at EFF’s Action Center, and when the time comes, urging your legislators to protect consumer data privacy.
This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2019.
Like what you’re reading? Support digital freedom defense today!