CPRA From Another View

Let’s see how the CPRA would work from the view of a Californian.

Of course, I analyzed California Ballot Proposition 24, the “California Privacy Rights Act,” at some length in a recent issue, but I think taking on the proposed rewrite of the “California Consumer Privacy Act” (AB 375) from a different angle may provide value in understanding what this law would and would not do. In this piece, I want to provide a sense of what the California resident would be presented with under the new privacy statute.

As noted in my article the other day, as under the CCPA, the CPRA would still not allow people to deny businesses the right to collect and process their personal information unlike some of the bills pending in Congress. Californians could stop the sale or sharing of personal information, but not the collection and processing of personal data short of forgoing or limiting online interactions and many in-person interactions. A person could request the deletion of personal information collected and processed subject to certain limitations and exceptions businesses are sure to read as broadly as possible.

So, businesses subject to the CPRA will have to inform people at the point of collection “the categories of personal information to be collected and the purposes for which the categories of personal Information are collected or used and whether such Information is sold or shared.” Easy enough, as far as this goes. I live in Sacramento, and I log into Facebook, there should be notice about the categories of personal information (e.g. data such as IP address, physical address, name, geolocation data, browsing history, etc.) As a citizen of California afforded privacy rights by the CPRA, I would not be able to tell Facebook not to collect and process these sorts of data. I would be able to ask that they delete these data and to stop their selling or sharing of these data subject to significant limitations on these rights. Therefore, a baseline assumption in the CPRA, as in the CCPA, that it is either in the public interest that data collection and processing are a net good for California, its people, and its businesses, or a concession that it is too late to stop such practices, for strong law stopping some of these practice will result in these companies, some of which are headquartered in the state, to stop offering their free services and/or leave the state.

In the same notice described in the preceding paragraph, I would also be told whether Facebook sells or shares my personal information. I would also be alerted as to whether “sensitive personal information” is being collected and if these are being sold or shared.

Of course, with both categories of information collected from people in California, the use of the data must be compatible with the disclosed purpose for collection. And, so, presumably, the notice provided to me would include the why of the data collection, but whatever the purpose, so long as it is disclosed to me, it would be legal, generally speaking, under the CPRA. The only limitation seems to be purposes incompatible with the context in which the personal information was collected

My personal data could not be stored by a business indefinitely, for the law limits storage for each disclosed purpose for any the time necessary to undertake and complete the purpose.

It must also be stressed that Californians will all but certainly be presented with notice in the physical world when they shop in larger grocery store chains, national or large regional retailers, airlines, car rental firms, etc. In the case of hotels, car rental firms, and airlines, just to name three categories of businesses likely to be covered by the CPRA and to be collecting data on people, the notice may be appended to the boilerplate contractual language no one I know reads. It may be written in the clearest language imaginable, but a person must be advised of what data are being collected, the purpose of the collection and use, and whether it is being sold and shared. For the privacy purist, the only way not to have one’s information collected would be to not engage with these companies. Likewise, walking into a retail establishment large enough to qualify as a business under the CPRA may entail seeing notice posted somewhere in the store, possibly alongside information indicating customers are under surveillance by camera, that personal information is being collected.

I would be able to immediately ask the business to delete my personal information, but it would be allowed to keep this on hand during the period it is completing a transaction or providing goods or services. But there is language that may be interpreted broadly by a business to keep my personal information such as an exception to conduct a product recall or to anticipate future transactions as part of our ongoing business relationship. I would expect this to be very broadly read in favor of keeping personal data. Nonetheless, if it is a service or product used frequently, say, Amazon, then I would need to go back after every use and request my personal information be deleted. But if I placed four Amazon orders a month, the platform could reasonably deny my request because it is occurring in the course of an ongoing business transaction. There are other possible grounds on which a business might not delete a person’s personal or sensitive personal information such as ensuring the security and integrity of the service and product with the caveat that my personal information would have to somehow be “reasonably necessary and proportionate for those purposes.” Would the business make this determination? Subject to guidance or regulations?

However, the exception to the right to delete that is nearly opaque is “[t]o enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business and compatible with the context in which the consumer provided the information.” It is not clear to me the sort of “internal uses” this encapsulates. Data processing so the business can better target the person? This provision is drafted so broadly the new privacy agency must explicate it so businesses and Californians understand what this entails. Also, keep in mind, if I lived in California, I would have to repeat these deletion requests for each and every business collecting information on me.

I would be able to correct my personal information with a business but only with “commercially reasonable efforts,” suggesting cases in which correction are difficult would allow businesses to decline my request. For anyone who has ever tried to correct one’s personal information with a company, the frustration attendant on such endeavors can be significant. A major American automaker switched two letters my wife’s last name, and no matter how many times we asked that her name be spelled correctly, this massive corporation could not or would not make this change. This may end up as a right that is largely without effect.

I would be able to ask for and receive my personal information after a fashion. For example, I would be able to ask for and obtain the exact personal information the business has collected itself but only the categories of information obtained through means other direct collection (i.e. data brokers and other businesses.). To make this section even more convoluted, I would also receive the categories of personal information the business has directly collected on me. Moreover, I could learn the commercial or business purposes for collection and processing and the third parties with whom my personal information is sold or shared. However, if a business includes all this and other information on its website as part of its privacy policy, it would only have to send me the specific pieces of personal information it has collected directly from me. Whatever the case, I would generally only be able to receive information from the previous 12 months.

Separately from the aforementioned rights, I could also learn to whom a business is selling, sharing, and disclosing my information. However, if we drew a Venn Diagram between this right and the previous one, the most significant right bestowed by this section of the CPRA would be that of learning “[t]he categories of personal information that the business disclosed about the consumer for a business purpose and the categories of persons to whom It was disclosed for a business purpose.”

The CPRA would provide me the right to opt out of a business selling or sharing my personal information, and businesses would need to alert people of this right. If I were between the age of 13 and 16, I would need to opt in to selling or sharing my personal information. Moreover, for my children under the age of 13, I, or my wife, would need to opt in for their personal information to be sold or shared.

I would also be able to limit the use and disclosure of my sensitive personal information to an uncertain extent. The CPRA makes clear this is not an absolute right, and businesses would be able to use a number of exceptions to continue using this class of information. For example, a business would be able to do so “to ensure security and Integrity to the extent the use of the consumer’s personal Information is reasonably necessary and proportionate for these purposes.” Likewise, a business could use sensitive personal information for “[s]hort-term, transient use, including but not limited to non-personalized advertising shown as part of a consumer’s current Interaction with the business.” There are other exceptions, and the new California state agency established by the CPRA would be able to promulgate regulations to further define those situations in which use and disclosure may continue against my wishes.

Otherwise, a business would be unable to use or disclose my sensitive personal information once I elect to stop this practice. However, this right pertains only to the use of this type of information to infer my characteristics subject to the drafting of regulations.  

I would not be discriminated against for exercising any of the rights the CPRA grants me with a significant catch on which I’ll say more in a moment. This right would stop businesses from denying me goods or services, charging me a different price, or providing a different level of service or quality. And yet, a business would be able to charge me a different price or rate or give me a lesser level of service or product “if that difference is reasonably related to the value provided to the business by the consumer’s data.” This strikes me as a situation where the exception will eat the rule, for any business with any level of resources will make the claim that the value of my personal information is vital to providing me a service or product for free, and if I deny them the use of this information, the value proposition has changed and I must be charged to have the same level of service, or alternatively without payment, the business could only provide me with a lesser level of service or product. It is my guess that this right would be functionally null.

Moreover, this section is tied to loyalty and reward programs, which would also be exempt from this right so long as the case could be made that the value of my data justifies the difference in price or service. It is not hard to see to incentive structure here being such that businesses would likely establish new programs in order to pressure people in California not to exercise rights in the CPRA and to continue using their personal information in the current fashion. Of course, this is this provision “[a] business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature,” but where exactly is the line between a business offering a rewards or loyalty program purportedly tied to the value of the data it collects and processes and these sorts of practices. It may be very hard to divine and will likely require a case-by-case process to delineate the legal from the illegal.

I would generally have two ways to exercise the rights I would be given under the CPRA unless the business only operates online, and then it would be by email. The business would have 45 days after verifying my request for my personal information or to correct or delete to comply, and this would need to be free of charge. However, this 45-day period may be extended once so long as the business informs me. It would seem 90 days would become the de facto norm. A business may also be able to demand “authentication of the consumer that is reasonable in light of the nature of the personal information requested.” The intent is obviously for a business to be sure someone is not malicious or mischievously trying to change someone else’s information in what may come to be an extension of doxing or other vexatious practices seen elsewhere in the online realm. However, this may also likely be read liberally by some businesses as a means of trying up another barrier in the way of my exercise of these rights.

I would be wise as a California resident to understand some of the global limitations of the rights bestowed by the CPRA. For example, all bets are off with respect to a business’ compliance “with federal, state, or local laws or…with a court order or subpoena to provide Information.” A business would be within its legal rights to comply, my wishes be damned. Moreover, law enforcement agencies can direct businesses bot to delete my personal information for up to 90 days while a proper court order is obtained. Moreover, likely as an incentive for businesses, deidentified personal information is not subject to the obligations placed on businesses, and the same is true of “aggregate consumer information.” Obviously, a business would ideally use the safe harbor of deidentification where possible in order to render stolen data less desirable and valuable to thieves. Of course, at least one study has shown that deidentified data can be used to identify and link to people fairly easily and another stated “numerous supposedly anonymous datasets have recently been released and re-identified.” This may be less safe a harbor for my personal information than the drafters of the CPRA intend.

It also bears mention that some publicly available information shall not be considered personal information under the CPRA. The catch here is that not all of my personal information in the public sphere meets the terms of this exception, for new language in the CPRA to modify the CCPA definition makes clear the information has to be “lawfully obtained,” “truthful” and “a matter of public concern.” Additionally, businesses would be barred from using personal information made widely available that is probably not being disclosed lawfully (e.g. someone plastering my home address on social media.) And yet, the California Department of Motor Vehicles (DMV) has been selling the personal information of people to private investigators, bail bondsmen, and others, a legally sanctioned activity, but allowing this practice to funnel the personal information of Californians to businesses and data brokers would arguably not be a matter of public concern. Therefore, this exception may be written tightly enough to anticipate and forestall likely abuses.

Like the CCPA, the CPRA does not bear on use of my personal information in areas of like already regulated, often by the federal government such as health information or credit information. Any rights I would have with respect to these realms would remain unaffected by the CPRA.

I would receive protection in the event of specified types of data breaches, namely if my personal information were neither encrypted nor redacted, the CPRA’s breach provisions come into play. Under the CCPA, if my personal information were not encrypted but was redacted and stolen, a breach would occur, and the same was true if it were not redacted but encrypted. So, this seems to be a weakening of the trigger that would allow me to sue if my personal information were subject to unauthorized exfiltration or access, theft, or disclosure. Additionally, if my “email address in combination with a password or security question and answer that would permit access to the account” are exposed or stolen, I could also sue. Moreover, any unauthorized stealing, accessing, disclosing, or exposure of my personal information must be due to a “business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” before a breach could occur.

Once a breach has occurred, however, I can sue for between $100-750 per incident plus actual damages but only after giving a business 30 days to cure the breach if possible. If there are no tangible monetary damages, as is often the case in breaches, then I would be left to weigh suing to recover the statutory damages. But if it’s one breach or a handful of breaches, it may not be worth the time and effort it takes to litigate, meaning this is likely the circumstances in which class actions will thrive.

Alternatively, the California Privacy Protection Agency will be empowered to bring actions against businesses that violate the CPRA, but the bill is silent on whether I would be made whole if I did not sue and the agency recovers money from the business. This is not entirely clear.

Finally, there are provisions that contemplate technological means for people to make their preferences under the CPRA known to many businesses at the same time or with minimal repetitive effort. I suppose this envisions someone designing an app that one could use that would do the hard work for you. This seems like language designed to seed the ground in California for developers to create and offer CPRA compliant products. Likewise, one could designate a person to undertake this work for you, which also suggests a market opportunity for an entity that can make the economics of such a business model work. In any event, I would likely be charged for using a service like either of these, leading one to the uncomfortable conclusion that these provisions may drive a greater bifurcation in the world of technology between the haves and haves not.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by OpenClipart-Vectors from Pixabay

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s