TANYA FORSHEIT IS A LAW PROFESSOR, ATTORNEY AND CYBERSECURITY EXPERT. She chairs the Privacy & Data Security Group at the Los Angeles office of Frankfurt Kurnit Klein & Selz, teaches at Loyola Law School and was named by the Daily Journal as one of the top 20 cyber attorneys in California in 2018. She brought those powerhouse credentials and a foreboding warning to Sacramento on Feb. 5 when the California News Publishers Association gathered for an annual meeting of news professionals.
Forsheit was there to sound the alarm about the California Consumer Privacy Act.
“It is the absolute worst thing that California could be doing if it actually believes in a free press and making all news available to all consumers,” she said. “Trust me when I tell you the legislators do not understand how this works.”
The law was passed in haste in 2018 after a Bay Area housing developer named Alastair Mactaggart bankrolled a $3 million-plus campaign to gather signatures for a ballot initiative that would enshrine personal data protection into California law. Because ballot initiatives are more challenging to amend than laws enacted by the Legislature, the California Legislature decided to crib the language straight from Mactaggart’s ballot measure. They did, with a delay – the law does not take effect until Jan. 1, 2020 – designed to give lawmakers time to make changes. Cue forward to this legislative session, with no fewer than a dozen bills introduced that would modify the CCPA.
Forsheit is one of the dozens of attorneys and cyber experts who have been lobbying the Legislature to make those changes, and a flurry of bills that define and redefine terms like “privacy” and “sale of personal information” have been moving along, but many have been coming to a halt as the legislative session comes to a close. (See story, p. 26.)
Mactaggart was moved to action by the Facebook/Cambridge Analytica scandal. With his supporters, including the American Civil Liberties Union and Electronic Frontier Foundation, he submitted 629,000 signatures in May 2018, almost double the requirement of 366,000 to qualify for the ballot. Lawmakers contacted Mactaggart looking for a compromise deal, and just hours before the deadline to withdraw a ballot initiative – 5pm on Thursday, June 28, 2018 – AB 375 passed. Mactaggart pulled the initiative.
Instead of an initiative, we have what Forsheit’s colleague, attorney Daniel Goldberg, calls “a monster bill.”
“It comes from a really good place,” he says, “but the way that it was written, it’s kind of a monster. It has some of the stuff from [the Europe Union’s General Data Protection Regulation]. But it doesn’t clarify how things work.”
Europe’s GDPR, a data privacy law meant to rein in Big Tech companies like Facebook and Google, took effect on May 25, 2018. Maybe you’ve traveled to Europe since then. In the early days, if you tried to pull up a news site like the Dallas Morning News or Baltimore Sun on your laptop or smartphone, you’d instead see an error message from news outlets that did not comply – they decided it would be cheaper just to forego European readers. Click to the Los Angeles Times, and you’d get the message, “Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market.”
Still today, if you’re traveling in Europe and go to montereycountyweekly.com, you get an error message: “451: Unavailable due to legal reasons. We recognize you are attempting to access this website from a country belonging to the European Economic Area including the EU which enforces the General Data Protection Regulation and therefore access cannot be granted at this time.”
When Goldberg talks about implementation of the Consumer Privacy Act, which has been dubbed “California GDPR,” he calls it “D-Day.” What “D-Day” in California privacy looks like remains very much a question mark: Will users get error messages and a lack of access to websites like they did in Europe? Will hundreds of small businesses with websites that collect user information – customers who have entered email addresses to receive promotions, for instance – shut down their websites, or hire tech firms to get them into compliance?
“Everything from toasters and baby dolls to televisions are connected to the Internet, gathering and using a wide range of information,” according to a Senate Judiciary Committee analysis of the bill. That information includes things like phone numbers, email addresses, hotel preferences and shoe sizes.
When Mactaggart created the group Californians for Consumer Privacy and launched his ballot initiative, he was attempting to take on Big Tech giants. Those companies, Forsheit and Goldberg say, are going to have no trouble complying with the CCPA because they’ve already gotten into compliance with GDPR. It’s the smaller entities, like local newspapers and boutique vendors, that are likely to have the toughest time making their websites legal and accessible.
“That’s the kind of awful irony,” Forsheit said at the CNPA conference. “Facebook and Google really have nothing to lose at the end of the day. Alastair [Mactaggart] thinks he’s taking down the Goliath – absolutely not.” (Through a spokesperson, Mactaggart declined a request for an interview.)
The California law applies to companies that meet at least one of three thresholds: They do at least $25 million in revenue annually; the business makes at least half its money by selling data; or the business gathers information on at least 50,000 consumers per year. (For comparison,Monterey County Weekly’s website had 1.4 million unique visitors in the past year. Many do not provide personal information, but tens of thousands of readers do provide identifying information, like email addresses.)
Town News is an Illinois-based company that provides digital publication services to some 2,000 news outlets, including the Weekly. Since GDPR took effect in Europe, the default has been for its websites in Europe to get the 451 error.
One lingering issue with CCPA is the definition of “deidentified data.” Think of the creepy effect of searching online for a new camera, say – and then everywhere you go, whether checking email or reading the news or booking a hotel room, an advertisement for a camera pops up.
“If you’re in a department store and you’re using a credit card, you can tell the department store you want to be forgotten,” Irwin told the Senate Judiciary Committee on July 9. “They go in and erase everything they can reasonably associate with you. If you get rid of the ‘reasonably,’ they have to [check] other data, such as a store camera – you’re going to have to use facial recognition. It’s really anti-privacy.”
Meanwhile, the federal government is taking its own tack cracking down on Big Tech. July 24, the Federal Trade Commission announced a $5 billion settlement with Facebook, “for its failure to protect consumers’ privacy” and “deceptive privacy settings” – and failure to comply with previous FTC orders. The fine amounts to 9 percent of Facebook’s revenue last year. It’s the largest civil penalty ever, and “establishes a new era of privacy transparency at Facebook and at WhatsApp and Instagram, which Facebook owns,” according to the FTC.
In her dissent, Commissioner Rebecca Kelly Slaughter wrote that even the unprecedented fine is not enough to chasten Facebook: “The fact that Facebook’s stock value increased with the disclosure of a potential $5 billion penalty may suggest that the market believes that a penalty at this level makes a violation profitable.”
Goldberg says whether the amount of the Facebook fine was appropriate remains debatable, but he writes in a blog post that the takeaway is clear: “Failure to incorporate privacy by design has real monetary consequences for business, which will amplify once the California Consumer Privacy Act takes effect in January 2020.”
Here’s some of what the California Consumer Privacy Act does – and doesn’t – do.
When the law takes effect on Jan. 1 of 2020, it will apply to companies that meet any one of three thresholds: They earn at least $25 million in revenue annually; the business makes at least half its money by selling data; or the business gathers information on at least 50,000 consumers. (That translates to roughly 137 website visitors per day.)
There will likely be a six-month lag until enforcement begins, with regulations and an enforcement plan due from the Attorney General’s Office by July 1, 2020.
Here’s some of what it will mean for businesses and consumers.
- Businesses will be required to tell their customers what information they collect about them, and how they use or sell it.
- They’ll have to provide “a clear and conspicuous link” on their homepage titled “Do Not Sell My Personal Information” that allows consumers to opt out. Businesses cannot require consumers to create accounts in order to opt out.
- Consumers can direct a company to give them access to their personal information.
- Consumers can direct a company or delete any personal information the company has obtained from them.
- Consumers have recourse in civil court, seeking up to $750 per violation if their personal information is disclosed without permission.
- The Attorney General will be able leverage fines up to $7,500 per each intentional violation of the law. A portion of those penalties would go to the new Consumer Privacy Fund. (The Attorney General’s Office is responsible for developing a framework for enforcing the law by July of 2020.)
Lawmakers passed a sweeping privacy bill with plans to amend it before it takes effect in 2020. Those plans are dying in committee.
AT A MARATHON 12-PLUS-HOUR HEARING that stretched into the wee hours on Tuesday, July 9, lawmakers passed a flurry of amendments to the landmark California Consumer Privacy Act.
Legislators on the state Senate Judiciary Committee labored until nearly midnight to meet a mandatory deadline to vote on dozens of bills. Among them were several that critics said would gut the privacy act before it can go into effect.
But the contentious Assembly Bill 1416, excoriated by opponents as one of the more tech industry-friendly measures, was absent from the agenda.
Hayley Tsukayama, a legislative analyst with the Electronic Frontier Foundation – a supporter of the CCPA, and an opponent of AB 1416 – says it had been pulled by the author, Assemblymember Ken Cooley, D-Sacramento, at the last minute. The bill would have allowed businesses to sell personal data to third parties, even if a consumer specifically opted out of such practices. It also carved out an exception to the CCPA that would allow businesses to provide a person’s data to the government if used for carrying out a government program.
The bill will be dropped from this year’s legislative session and will likely re-emerge next year. “We are pleased that this bill, which would have opened a major loophole in the CCPA, will not move forward this session,” Tsukayama says.
Cooley’s office did not return phone calls seeking comment.
It’s just one of multiple proposed amendments that would tweak the CCPA, set to take effect next year.
Under the CCPA, California residents will soon have a right to know when a business has collected and/or sold their personal information; the power to forbid a business from selling their information to third parties; and the ability to demand a business delete stored information. The law is the result of a deal between lawmakers and real estate magnate Alastair Mactaggart, who spent millions to qualify a statewide measure for the November ballot last year. In exchange for the bill’s passage, Mactaggart agreed to pull his measure days before an election deadline.
Former governor Jerry Brown signed the CCPA in 2018 with the understanding that lawmakers would continue to tweak and mold it before it goes into effect on Jan. 1, 2020.
But those tweaks are looking less likely, and more minimal, as the legislative season moves toward its Sept. 13. deadline for any bill to be passed. (Lawmakers are currently in summer recess, and reconvene Aug. 12.)
Some of the potential tweaks did move forward and advance out of the Senate Judiciary Committee. Among them are Assembly Bill 25, with amendments that led opponents to take a neutral position. The bill, by Assemblymember Ed Chau, D-Monterey Park, allows employers to collect data on workers without telling them. Chau amended the bill to require employers to tell employees what type of information they are collecting and the reason for doing so.
Labor groups dropped their opposition only after a sunset clause was added, ending the provision Jan. 1, 2021.
Mactaggart, founder of Californians for Consumer Privacy, calls the privacy act “historic” and “sweeping” and says he’s been keeping a close eye on the proposed amendments.
“The power of California law will hold the world’s largest corporations accountable for how they are using our personal data,” Mactaggart says. “But make no mistake: Last year’s David-versus-Goliath fight for consumer privacy rights continues, and we’re as dedicated as ever to making sure every consumer has control over what happens to their personal information.”
Privacy groups also opposed Assembly Bill 1564, which would amend the CCPA by removing a requirement that businesses provide a phone number for people requesting access to their personal information, noting the original law makes it harder for people without internet access to exercise their privacy rights. The bill passed after an amendment restored a phone number requirement for businesses.
Late into the night, the committee reached the strongly contested Assembly Bill 873, which would change the definition of “personal information” in the CCPA and expand the definition of “deidentified” information – private data not tied to a specific individual (think cookies that show where you are, but not who you are) – so that more private data falls outside the protections of the CCPA.
The bill would have also added the word “reasonably” before “capable of being associated with” in the definition of personal information. This bill was backed by the California Chamber of Commerce had support from the California News Publishers Association (of which the Weekly is a member) and the business community at large.
Essentially, AB 873 takes what was once personal information and depersonalizes it so businesses can use it in any way they want, and still comply with the CCPA.
Ariel Fox Johnson, senior counsel for policy and privacy at Common Sense Media, says AB 873 “represents an erosion” of the landmark privacy law by lowering the threshold of what qualifies as deidentified information to include IP addresses and even browser fingerprints, which potentially can be used to identify people and track their online activity.
Committee chair, State Sen. Hannah-Beth Jackson, D-Santa Barbara, proposed amendments but they were rejected by the AB 873 author, Assemblymember Jacqui Irwin, D-Thousand Oaks. The amendments would have exempted a business from complying with a consumer request to delete personal information if it meets three conditions: It is not reasonably capable of linking a request with the personal information; the business doesn’t sell the information to third parties; and the business does not use the information to identify a specific consumer.
Irwin said she could not support amendments that would weaken her bill, saying AB 873 as proposed would make the CCPA more understandable and workable for small businesses. She noted that Mactaggart’s group, Californians for Consumer Privacy, is neutral on the bill.
“It is crucially important that California get it right; that we make CCPA workable for not only our Googles, but workable for small businesses. We want to make sure every business understands how important it is to protect our privacy,” Irwin told the Judiciary Committee. “If we do not get it right, there will be federal preemption.”
Jackson, who called Irwin’s bill a “jail-break” of the CCPA, says she was not surprised that it enjoys strong backing from the tech industry.
Jackson added, “I think [AB 873] is a dangerous bill. The CCPA, from my perspective, is a pretty weak cup of tea but it’s what we’ve got. There was a commitment that we were not going to do anything to undermine it.
“If we start undercutting it now by expanding a definition that pulls that information outside the protection of the CCPA, we will take what is a weak cup of tea and turns it into water.”
The committee vote was 3-3, so AB 873 failed. (Among the no votes was State Sen. Bill Monning, D-Carmel.)
Irwin asked for reconsideration, which means there is still a chance it could pass if she can drum up more support from colleagues after the Legislature returns from summer recess.
The bills that passed will head to the Senate Appropriations Committee, and if they pass, to the floor for a full Senate vote.