Businesses Confused Over Terms of California’s New Privacy Law

SAN FRANCISCO (CN) – With a monumental privacy law set to take effect in just a few weeks, privacy advocates, corporate lawyers and representatives from trade groups and financial institutions flocked to a public hearing in San Francisco on Wednesday to voice the almost unanimous view that the California Consumer Privacy Act still needs some work.

Well-intentioned, but overly-broad and unclear seemed to be the consensus, while more specific concerns ran the gamut from ill-defined terms to the lack of guidance on opt-out notices to consumers.

The act will apply to businesses with annual revenues over $25 million, that buy, receive or sell information of 50,000 consumers or get 50% or more of their revenue from selling consumers’ data.

This means that as many as 500,000 companies must tweak or overhaul their privacy practices to conform with the law, which requires them to respond and maintain records of consumer requests to know what information has been collected on them and delete that information if asked, update their privacy notices to disclose their data collection practices to consumers and provide a “Do Not Sell My Info” link on their websites and mobile apps for consumers wishing to opt-out of having their information sold to third parties.

The law also puts the onus on businesses to notify all third parties to whom it has sold a customer’s information within 90 days of receiving an opt-out request from that person.

Among the more confounding aspects of the law, even for experts, are the definitions and relationships of “businesses,” “service providers” and “third parties.” Barbara Lawler, the Chief Privacy and Data Ethics Officer for Looker, said her company had been working to map these relationships, but “even with a team of experts, advisers and peers, I’m not sure we’ve got it right. And I’m not sure a lot of other companies are either, even though they are actually trying.”

She also challenged CCPA’s puzzlingly complex notice and privacy requirements. “Did you intend multiple separate notices that went into a privacy policy? Or a privacy policy that includes multiple notices? So many notices, so much nested linking. It’s almost like privacy notice ‘Inception.’”

Other speakers asked that the law’s effective date be delayed by at least two years, to give financial institutions more time to understand and comply with its provisions.

“There is a lot of room for interpretation and ambiguity,” said Jason Mertz-Prickett, vice president of operations for Upward Credit Union, who asked that the CCPA go into effect on Jan. 1, 2022.

He also said the current statute provides little to no guidance on what right to opt-out notices and responses to consumer requests for information should look like.

“These notices and responses are required to be easily read and understandable by the average consumer. With no guidance on what that means or provided examples, methods or metrics to gauge these on, it makes it extremely difficult to develop these notices,” Mertz-Prickett said. “Samples or uniform notices would not only help not just small credit unions but all financial institutions.”

One of the most scathing comments came from Todd Smithline, an attorney who represents SaaS (Software as a Service) providers for web-based HR and accounting services for employers. He took issue with one specific provision of the law, which prohibits a service provider from using personal information “for the purpose of providing services to another person or entity.”

Since this is the business model for SaaS providers, Smithline urged representatives from the Attorney General’s office to reconsider this likely unintended consequence of the statute.

“The way most companies manage their HR, accounting and project management is though large SaaS applications full of data collected from users,” Smithline said, adding that SaaS providers use the data it collects to improve on their product, all without sharing or disclosing that information to others.

“It does not say a service provider shall not share, it doesn’t say a service provider shall not sell, it doesn’t say a service provider shall not disclose. It simply says shall not use,” he said. “We have scoped in here activity which does not disclose or put at risk any individuals’ private information, but would cause hundreds of millions of dollars of productive economic activity to be called into question.”

Smithline, a lecturer at Berkeley Law School, also took a swipe at the CCPA’s authors, saying he needed a team of lawyers just to read and understand it. “Let’s face it, this thing was essentially written by a broken robot,” he said.

“That’s a new one for me but I appreciate it,” laughed Rick Arney of the Californians for Consumer Privacy, one of the law’s co-authors.

During his turn at the podium, Arney called on the attorney general to beef up the statute to give consumers more options for opting-out of their data being sold, like adding a “do not track” browser setting.

“Many consumers and businesses rely on that signal already,” he said.

He also opposed the 15-day grace period for businesses to stop selling a consumer’s personal information after receiving an opt-out request.

“The bottom line is this should be as short as possible, If a company can start selling immediately it should be able to stop selling immediately as well,” he said, proposing something closer to 72 hours.

The CCPA was modeled after Europe’s General Data Protection Regulation which requires companies to protect the personal data and privacy of all EU citizens, but some companies have already found ways around its structures.

Henry Lau of Privolta, a company that provides security and privacy-driven ad infrastructure, said his company has studied the consent-collection processes of companies like Google in response to the GDPR.

In examining the top 50 websites in the UK, Lau said the opt-out process was cumbersome across the board.

“Across all of them, the process of opting out is more difficult than opting into data collection.” For example, Google’s opt-out process took 17 clicks and three minutes, while opting-in took two seconds and only one click.

“By declaring psychological warfare on consumers who wish to opt-out, these practices violate the spirt of privacy laws we’d like to sound the alarm before these practices are allowed to go unhindered here as well,” Lau told the AG’s panel.

Wednesday marked the third day in a week of public hearings hosted by the attorney general. The deadline to comment publicly on the CCPA is Friday, Dec. 5.

Meanwhile, the CCPA’s authors have forged ahead with efforts to expand the law with an initiative they hope to put before voters next year. The California Privacy Rights and Enforcement Act of 2020 extends required disclosures to how personal information is used to influence elections.

It would also impose heavy fines for companies that violate the privacy rights of children and establishes a new government agency for privacy protection, supposedly financed by fines levied against privacy violators.


An earlier version of this story incorrectly identified Mr. Smithline as an attorney representing specific tech companies. He spoke at the hearing in his individual capacity.

%d bloggers like this: