California Consumer Privacy Act of 2018, Cal. A.B. 375December 2018
The California Consumer Privacy Act of 2018 (CCPA) presents multiple challenges for enterprises that collect and process data, governments that must enforce the law, and consumers who will be confused by its results. This reflects its hurried conception and drafting in the face of an imminent ballot proposition that policymakers feared would cause even worse problems.
The CCPA mercilessly attacks advertising-supported websites by requiring prominent and persistent postings of data-sharing opt-out mechanisms hyperbolically labeled “DO NOT SELL MY PERSONAL INFORMATION.” If a substantial percentage of the population opts out then publishers’ revenue may plummet, and success will be much harder to attain for content startups, bloggers and specialty publishers.
Technically the law is rife with internal inconsistencies that will vex compliance and enforcement efforts. Another weakness is that (apart from its data breach provisions) the law treats almost all data alike, conflating the most sensitive identifiers with generic website code which leads to illogical results.
- Under the guise of mandating consumer choice, the law requires content owners to prominently link to a sensationalized and mischaracterized “DO NOT SELL MY PERSONAL INFORMATION” opt-out mechanism that intends to persuade consumers to opt out of behavioral advertising – even when their data is not being sold. If substantial numbers of people opt out then website and app publishers that rely on advertisements for revenue will be harmed, and digital content startups and investors will be discouraged. The net result will be less content (in particular, less free content), fewer voices participating in the marketplace of ideas, and more advertising that is also less relevant.
- By requiring all websites participating in the digital data ecosystem to link to an opt-out, the law promotes a misguided conclusion that all websites are selling personal information, which is not the case. Rather, the foundation of behavioral advertising is the analysis of large volumes of data aggregated by third parties that partner with websites and apps.
- The law needlessly defines almost all data as “sensitive” and worthy of more protection. The overbroad approach to data regulation is imprecise, costly and unnecessary, and burdens even the smallest enterprises that historically have not collected sensitive data. Regulating generic pixel tags and anonymous IDs the same as Social Security numbers is like regulating all transportation – including roller skates and automobiles – alike.
- Today digital publishers can choose whether to offer content in exchange for a subscription fee or to instead fund operations through advertising that monetizes data. The Act, however, encourages consumers to opt out of data-based advertising and also prohibits publishers from blocking consumers who do not permit data-based advertising or requiring that they pay. This is unfair to publishers who need to finance the costs of their content and site operations. This restriction is also anti-consumer as it denies consumers the option of choosing to “pay” with cash or by providing data.
Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 4/10]
- Is information that is “shared” with an online network subject to the “sale” of information regulations?
- The law says that it protects California “residents,” but are they protected when they are out of state?
- The law, on the one hand, prohibits “charging different prices or rates for goods or services,” to consumers based on whether they allow the sale of personal information, but it allows “incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.” In this construct is it possible to provide consumers with incentive payments and have those not considered differential pricing?
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 2/10]
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 4/10]
Similarly, the mandatory link to the “DO NOT SELL MY PERSONAL INFORMATION” opt-out is prominent and clear, but the requirement is misleading in that it is required for websites that are not actually selling data.
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 6/10]
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 1/10]
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 1/10]
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 6/10]
International Commerce: International commerce and cooperation should not be inhibited. [Score: 6/10]
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 7/10]
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 4/10]
“9-10” means the legislation thoughtfully accounts for the concern.
“7-8” means that, with adjustments, it can likely account for the concern.
“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.
“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.
“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.