A coalition of business groups, including the California Chamber of Commerce and a broad array of industry associations, wrote to state lawmakers on Monday requesting a series of amendments to the California Consumer Privacy Act (“AB 375”) to correct drafting errors and fix aspects of the bill deemed “unworkable” by affected businesses, and thus avoid “negative consequences unintended by the authors.” The desired changes include modifications to the definitions of “consumer” and “personal information,” increased flexibility to create and use de-identified data points, and clarification of the non-discrimination in services provision.
As was described in DWT’s earlier advisory, AB 375 was signed into law in June following only a week of debate in an effort to avoid a ballot initiative on consumer privacy. State Senator Bill Dodd introduced SB 1121 on August 6, 2018, as cleanup legislation largely intended to fix typographical errors in AB 375. The coalition’s proposed amendments go further, seeking to change some key areas of confusion and operational challenges identified in the version of AB 375 enacted in June.
Definition of ConsumerThe coalition requested a change in definition to clarify that employees and contractors of a business are not “consumers” for the purpose of the law and do not have rights to transparency, access, and erasure. Citing unintended consequences of giving employees the right to request that their information be erased from company files, such as the ability of employees accused of harassment to hide the evidence, the letter proposes defining consumers as persons whose personal information “is obtained as a result of the consumer’s purchase or use of a product or service for personal, family, or household purposes.” This would be entirely consistent with the law’s purpose.
Definition of Personal Information
The letter points out a number of challenges to the broad definition of personal information in AB 375, including:
- The definition of personal information as that which “relates to or could be associated with” a consumer is vague and overly broad as almost anything “could be” associated with a consumer. FTC guidance limits personal information to that which is “linked or reasonably linkable” to a consumer.
- References to household, devices, and family in the definition would allow one member of the household to seek information about others, which could be lead to invasions of privacy defeating the key goal of the legislation.
- The list of examples contained in the definition is too strict, as certain of those data points are not always reasonably linkable.
- The term “device” should be deleted “because devices are often shared by several people and are not personally identifying.”
- The term “probabilistic identifier” is not precise and would require businesses to make guesses when facing requests for access and erasure.
- Including ambiguous terms like “inferences” and “tendencies” would defeat the use of new AI technologies that make recommendations and perform tasks that are beneficial to and wanted by consumers and giving consumers access and erasure rights over inferences and tendencies could inhibit the development of proprietary AI tools.
The coalition suggests modifications to address each of these challenges, as well as to exclude de-identified, pseudonymized, aggregated, and publicly available information from the definition of personal information.
Flexibility Regarding Pseudonymized, De-Identified, and Aggregated DataThe coalition argues that increased business use of techniques that separate a consumer’s identity from data points, such as pseudonymization, de-identification, and aggregation of data, enhances privacy, but that the law as currently written fails to incentivize this practice, due to the fact that the definition of “de-identified” data is so restricted as to be unachievable. The letter proposes explicitly granting businesses permission to create de-identified data, including the word “pseudonymized” in the type of data businesses are encouraged to create along with de-identified and aggregated, and aligning the definition of de-identified data with FTC guidance by including an express “commitment not to re-identify data and requiring by contract that third parties who receive the data commit not to re-identify it.”
Clarification of the Non-Discrimination RestrictionsAB 375 currently prohibits businesses from discriminating in the provision of services based on the fact that a consumer has opted out of the sale of their data. But the law contradicts itself in the same provision, noting both that discrimination is acceptable if it is “reasonably related to the value provided to the consumer” by the data and that a financial incentive may be offered for the collection of personal information if “directly related to the value provided to the consumer” by the data. Noting that this is both confusing and nonsensical, the coalition proposes limiting the ban on discrimination in services to that which is unreasonable, and broadening capability of the business to provide incentives (not limited to financial ones, and including offering a good or service for no fee), if the difference is reasonable related to the value provided to the business (not the consumer).
The additional changes suggested by the coalition include removal of the requirement to disclosure upon consumer request the “specific pieces” of information a business has collected (which would drastically change the right of access), allowing businesses to offer consumers granular opt-out from sale options, instead of an all or nothing opt-out; clarifying that the sale of targeted advertising spots is not a sale of personal information if the ad purchaser does not receive a consumer’s information; and adding protections to the business’ ability to use personal information to prevent or detect identity theft, fraud, or criminal activity. The coalition also requested clarifications of the exemptions for businesses affected by certain federal laws to align the exemptions to the full scope of personal information collected, disclosed, sold, or used that is subject to those laws.
The letter seeks a delay of implementation of AB 375, which is currently scheduled for Jan. 1, 2020. Noting that rulemaking processes by the Attorney General’s (“AG”) office are necessary to define some of the requirements that businesses must follow, the proposed amendments would delay the AG rulemaking until Jan. 1, 2020, to allow for further debate and amendment of the law in the legislature, and then have the AG rulemaking commence after a final version is adopted, with the compliance deadline set for 12 months after the completion of the AG’s rulemaking. The coalition specifically noted the broad scope of the statute and the significant operational costs involved with a multitude of businesses – large and small – in almost every industry coming into compliance.