“We do not and never will sell any of your information to anyone.” Mark Zuckerberg, Facebook: Washington Post Monday, May 24, 2010

When the full horror of the implications of the Data Hijacking scandal involving Facebook and Cambridge Analytica was eventually revealed in March 2018, the public mood towards privacy legislation finally hardened against the abuses of the IT giants. The most alarming aspect to the scandal was that there seemed to be no internationally-accepted legislation capable of allowing a successful prosecution.

The EU Data Protection Directive 1995, and the subsequent General Data Protection Regulation 2018 (GDPR) seemed at the time to be the only legislative framework capable of even laying down a common understanding of the morality about the use of personal information, despite the fact that many countries and federations around the world had been attempting to define such a thing for decades. Why has it been so difficult?

The US State of California has a history of introducing pioneering legislation that protected the individual against the abuses of big corporations. However, even California had struggled so much to provide up-to-date legislation that was comparable in scope to the GDPR, that voters had shown every indication of approving an alternative law via a ballot initiative: A law that was drawn up by privacy campaigners.

This article attempts to explain the main reasons for the passive resistance of the elected representatives to voting through effective privacy legislation, and the vehement opposition to the new laws that came from many media, telco and tech companies. I’ll try to recount some of the compromises to the law that were made as a result. Out of it all, I’ll try to extract some sensible advice on steps that data professionals can reasonably take, to ensure the data stores and processing complies with these new State laws, as far as possible.

Data Privacy Legislation in California

Everyone was expecting California to be the first to pass privacy legislation in line with the GDPR, having already amended its constitution to include the “inalienable” right of privacy. California were the first to introduce laws requiring notifications of data security breaches (2002), and in 2003, including the ‘Shine the Light’ law that required businesses to explain how they handled consumers’ personal information. They followed this, in 2004, with the, sadly rather inadequate, California Online Privacy Protection Act (CalOPPA). In 2015, California also introduced the Business & Professions Code 22580-22582 (“BPC 22580-22582”) law, a.k.a. the Privacy Rights for California Minors in the Digital World Act.

In 2013, CalOPPA was amended to give the legislation some bite, but it was still in obvious need of replacement, to reflect advances in technology and work on Assembly Bill 375 (AB-375), the draft of the new act, began in February 2017. It attempted to redefine the way that businesses who have customers in California could collect and sell the personal information of those customers.

However, the size and strength of the opposition to this new, more comprehensive privacy act was a surprise, and the bill suffered delays. After a great deal of prevarication, voters and privacy groups became concerned that meaningful and enforceable legislation wasn’t going to emerge, so an organization called ‘Californians for Consumer Privacy’ created proposed legislation called the CCPA (California Consumer Privacy Act).

The CCPA and AB-375

The proposed CCPA was a far-reaching consumer privacy initiative, similar in its main points to the GDPR. It was placed on the California ballot, as proposed initiative measure No. 17-0039, for November 2018. If it passed successfully, and every indication from polling suggested that it would, then it would come into effect in August 2019. The initiative gained more than 600,000 signatures of support from Californian residents, which was remarkable, in the face of well-funded opposition from the IT Giants.

CCPA was opposed by organizations called ‘The Committee to Protect California Jobs’, as well as ‘the Internet Association’ and ‘Technet.’ These were backed by various media, telco and tech companies, including Amazon, AT&T, Comcast, Facebook, Google, Microsoft, and Verizon. Rumors spread of a ‘war chest’ to fund a campaign against CCPA of around $100m. FaceBook had evidently spent $200,000 opposing it until the Cambridge Analytica data scandal blew up in their faces, and they suffered a PR disaster over their privacy policies. Unsurprisingly, Facebook did an abrupt U-turn and supported the CCPA.

The detractors explained their opposition by complaining that the CCPA added the right for Californians to sue companies directly, for data misuse and rule infringement. They also disliked the idea of being forced to include a prominent “Don’t Sell My Data” homepage button, and the obligation to provide the same services, whether or not the user exercised this right. The restrictions in the way that personal data could be used for advertising by third parties was also unpopular with the IT behemoths.

The chief sponsor of the CCPA, Alastair Mactaggart, then stated that he would withdraw the CCPA ballot initiative if California’s nascent AB-375 was passed before a deadline. AB-375 was kicked back into life and was rushed unopposed through both the State Assembly and the Senate, by State Assembly member, Ed Chau, and State Senator, Robert Hertzberg. It was signed into law by Governor Jerry Brown.

The most significant consequences of all this are, firstly, that the law comes into effect on January 1, 2020, rather than in August 2019. Secondly, AB-375 can be amended until 2020, the point that it passes into law. The CCPA, like all ballot initiatives, would have been far more difficult to change once it had achieved the two-thirds majority and been passed because the amendment would likewise require a two-thirds majority vote on the ballot. Also, amendments to the CCPA would only have been allowed that were ‘consistent with and further the intent of this Act.’ Hence the rush with AB-375.

In fact, AB-375 is already changing slightly. It initially required businesses to share ‘accurate names and contact information‘ of third parties that bought user data over the previous year. It is now much more relaxed, requiring nothing more than merely disclosing the “categories of third parties” that bought the data.

Although this seems to have been done after representation from the industry that such a task was too onerous, it is more likely due to the unwillingness of IT companies to disclose to competitors who in the industry is actively buying personal data. It is most unlikely that anyone in the business of selling data on to third parties would lack a mechanism to keep track of whom they’re sharing with!

The other disadvantage was that AB-375 compromised some of the more radical elements of the CCPA, such as the idea that the individual whose personal data was compromised could take direct legal action against the offending company. AB-375 leaves the task of enforcing the law to the attorney general and gives the citizen of California the right to private action only in the case of data breaches that weren’t subsequently fixed.

In a sense, nobody won this skirmish. AB-375 can be amended for the next two years, so it is still possible for its teeth to be extracted by the IT giant corporates, ‘…to address the many unintended consequences of the law‘, as one of them recently stated.

In the meantime, the initiative on privacy concerns remains with the EU’s GDPR legislation, at a time when the States could be taking the lead. However, AB-375 has exposed some issues that need to be debated by politicians and electors, but which are impossible for the technical side to decide. This includes whether the public should have a right to sell information about themselves, or whether they should be protected from the temptation to do so. It also raises questions about whether service providers should be allowed to penalize the user of a system who refuses to allow the use of their data by advertisers. Should they get a ‘lite’ rather than ‘pro’ level of service as a consequence? The ‘Spotify exception’ is an example of this.

The Spotify Exception

The main difference between the CCPA and AB-375 is that the latter creates what state senator Hertzberg calls the “Spotify exception,” allowing IT companies to offer different services or subscription rates to users, depending on the amount of personal data that they actively opt to share, or the advertising that they can tolerate.

AB-375 states that the difference in service must be “reasonably related to the value provided to the consumer by the consumer’s data.” The problem with forcing internet companies to provide the same level of service to people who opt out of allowing them to use or sell their data is that for some companies this it is their only revenue stream, and the only one possible with their business model. (See AB-375 Right to Equal Service and Price. 1798.103.) If users are getting a service that is paid for only by allowing targeted advertising, or the sale of data, then it might seem unfair to insist that users are entitled to the service even if they opt out of the use of their data.

The CCPA explained it like this:

“Your decision to request information from a business about its collection and sale of your personal information, or to tell a business to stop selling your personal information, should not affect the price, quality, or level of the goods or services you receive. It is possible for businesses both to respect your privacy and provide a high level of quality and service and a fair price.”

Whereas the original CCPA prevents businesses from discriminating against consumers who opt out of the sharing of their data, the AB-375 allows them to offer consumers financial incentives, if they do agree to share their data. They can also charge consumers reasonable fees for not sharing their data with advertisers or other third parties, which could accelerate the move towards subscription businesses.

Differences between AB-375 and the GDPR

It is difficult to make a direct comparison between the new law and the GDPR, because of the difficulty in getting a precise ruling. The people who drafted the new law could not deal with any overlap or inconsistencies between the new law and California’s existing privacy laws. Instead, they inserted a clause that says that wherever there is a conflict with California’s existing laws, the law that gives the greatest privacy protections shall take precedence. The law “shall be liberally construed to effectuate its purposes.” In order to fathom the true meaning of the new law, you need to study all the existing laws as well!

With that proviso, the differences with the GDPR seem to be only ones of emphasis, rather than substance:

• The definition of the individual person is clearer in AB-375, so that it includes not just Californian residents as users or consumers of IT applications, but also as employees, patients, tenants, students, parents, and children
• The exceptions to the rights of deletion of personal data are different from the GDPR
• Whereas AB-375 is clear about when parental consent is required, GDPR (article 8) does not require parental consent in every case: only when offering information society services (ISS) directly to children;
• With AB 375, adult users have the right sell their personal information (section 1798.125), whereas the GDPR allow only ‘explicit opt-in and opt-out’ in particular circumstances to a known destination for a legitimate reason. There is nothing in the GDPR legislation that allows general data brokerages
• AB 375 insists that businesses disclose to their users that they would like to sell their personal data. If the users are unwilling to consent, then a business has the right to increase the fee for the service and offer a different package. They can also offer incentives for the sale of their data. The GDPR does not condone data brokerage at all.
• In the case of an avoidable data breach, users can recover damages of $100-$750 per instance, or actual financial damages, whichever is the greater. However, businesses can avoid statutory damages or class-wide actions being pursued if they rectify any breach within 30 days of notice being provided by the user. There is also a great deal of latitude in the term ‘avoidable.’
• AB 375 does not allow discrimination against users who opt out, exercising their rights in accordance with the bill. The GDPR is not explicit on this point.
• AB 375 introduces the concept of ‘de-identified’ data. A business is free to collect, store, process, and transfer data that has been deidentified, by aggregating it into a summary report for use in marketing and advertising.
• AB 375 is much more prescriptive about such things as disclosures and communication channels, such as toll-free numbers.
• AB 375 has a broader definition of personal data and includes information about households, families, and devices.

What Should a Data Professional Do in Light of AB-375?

There is no point in panicking about a law that can be amended for two years and must be, well, ‘liberally construed to effectuate its purposes’ and to fathom its meaning. However, it is as well to:

• Make sure that your systems can work out if any data you hold is about Californian residents.
• Plan for systems that can provide different levels of service, according to the extent of opt-out (or opt-in, in GDPR parlance)
• Find ways of avoiding Nagware for requesting opt-in to the sale of data. (repeated requests within a year would be ‘nagging.’
• Provide alternative, cost-free ways of allowing users to specify their general opt-in or opt-out to the sale of personal data, including the prominent link to a ‘Do not sell my personal Information’ page, with an effective verification system. (Note that there is no such thing as a general permission to sell data in the GDPR. Data brokerage isn’t compliant)
• Plan to update your privacy policies within the next two years to ensure that they comply.
• Determine the age of your internet users who are California residents, to comply with the law regarding the age of consent for opt-in.

Conclusion

Any company with an international Internet-based business that holds personal data will be very suspicious of any state-based law. Not only would it be a nightmare to comply with different detail in every state, but the experience of trying to make sense of the Californian initiative could be multiplied by as many as fifty times if each state concocts its own legislation.

Although Congress has an obvious, and justifiable, dislike of federal privacy legislation, the alternative of having fifty divergent state privacy laws is unthinkable, especially if they follow the experience of California’s attempts. IT professionals will remember the forty-nine different state laws on data breach notifications that gradually followed California’s 2002 Data Breach law. They will look enviously at the way that the counties within the EU sphere of influence sensibly all fell in line behind the GDPR. I certainly wouldn’t relish having to provide forty-nine more summaries like this, and I can’t imagine many readers looking forward to having to read them.