by Lynn Haaland
The California Consumer Privacy Act (CCPA) is an important development for companies doing business in California, that have revenues above a minimal threshold – which effectively means that the act will impact many of the largest companies doing business in the United States. On Monday, February 25, 2019, Senate Majority Leader Hertzberg, who represents the eastern San Fernando Valley senate district and who was recently selected as Senate Majority Leader, addressed a group in downtown San Francisco about the CCPA.[1] Senator Hertzberg, along with California State Assembly member Ed Chau, were the primary architects of the CCPA. For this reason, Senator Hertzberg’s comments about the CCPA are worth paying attention to.
Before addressing the Senator’s comments, a few basics about the CCPA.
- Governor Jerry Brown signed the law in June 2018 (with amendments in September 2018). The CCPA goes into effect on January 1, 2020. In the interim, the California legislature is likely to consider further amendments. According to Senator Hertzberg, some 24 privacy bills have been introduced in the state legislature.
- Who is protected? The CCPA covers natural persons who are California residents (as defined by state tax regulations), and includes employees, patients, students and children. The CCPA provides California residents with a variety of new rights, including the right to know what personal information is being collected or sold and the CCPA allows consumers to prohibit the sale of their personal information. [2]
- Who must comply? Any company doing business in California provided: the company has gross revenues of more than $25 million, alone or with other companies; the company handles the personal information of 50,000 or more California residents, households, or devices; and the company earns 50% or more of its annual revenue from selling the personal information of consumers (defined as California residents).
On February 25, Senator Hertzberg, along with his Chief of Staff, Dr. Michael Bedard, shared some insights about the origins of the CCPA. The Senator framed the need for the law broadly, stating that it all came down to the current imbalance between the rich and the poor. What the Senator meant by poor was the average internet user as opposed to internet millionaires and their technology companies. Effectively, he was speaking about anyone who simply uses an information service company and – without direct monetary compensation – allows (often without knowing it), or is obliged to allow, the company to profit from the information that this usage creates. As stated by Senator Hertzberg, companies have “monetized” consumer data without compensating consumers. The Senator also cited the “incredible imbalance” between the growth of capitol versus the growth of labor, as an important justification for the CCPA. He described the CCPA as part of the debate surrounding some of the larger questions facing society today. For example, the Senator’s rationale for the CCPA raises the question: how do we balance allowing companies to innovate and drive new business models, including the monetization of data, with encouraging companies to treat consumers ethically and in ways that engender trust? This theme is not new in academic and political debates,[3] but it is an important development to see these themes implemented in binding legislation – for in legislation, the rubber hits the road.
The Senator also described several more specific driving forces that made it prudent for the California legislature to introduce the act in 2018. First, according to the Senator, the CCPA was needed because a California ballot initiative (PDF: 2.46 MB) concerning data privacy (sponsored by Alastair Mactaggart) was introduced in 2017, and this ballot initiative imposed harsher penalties on non-complying companies. For example, according to the Senator, the ballot initiative contained a much stronger private right of action against companies for security breaches, which would necessarily impose additional cybersecurity requirements. Furthermore, had the ballot initiative been passed, the resulting law would have been more difficult to modify through ordinary legislative procedures.
Second, Europe’s Global Data Protection Regulation (GDPR) was looming. Senator Hertzberg argued that if California wanted to remain business-friendly, a place where innovation remains a significant economic driver, creating a regulatory regime similar to GDPR would not work. The CCPA does not, according to Senator Hertzberg and Dr. Bedard, limit data processing, require minimization, or stop data collection. The CCPA, as with other U.S. laws generally, allows citizens to opt-out, whereas GDPR and many European laws are opt-in, the Senator observed.
Third, Senator Hertzberg described how the concept of privacy can be interpreted differently by companies and by constituents. Thus, the Senator explained that government intervention was needed to create a working definition of privacy. The Senator stated that “we haven’t done the necessary thinking” as a society to define privacy in a way that works for everyone. By giving consumers more control over the sale of their information, the CCPA is intended to allow the consumer to create his or her own definition of privacy.
Fourth, neither industry nor the federal government were proposing reasonable regulatory frameworks. According to Senator Hertzberg, industry was afraid and therefore “failed to step up.” The federal government also failed to act, perhaps because the current political climate does not allow for compromise. So, Senator Hertzberg and his coalition “took the ball and ran” with it “up the middle.” The Senator also predicted that the CCPA may ultimately become the “national law” given that the federal government may never enact a U.S. federal privacy law.
Senator Hertzberg did not argue the CCPA is perfect. For instance, he cited the definition of “household” as one example where the law needs “improvement.” (Experts cite a number of other issues, including the broad definition of what it means “to sell” data; the confusion around who is a third party vs. a service provider; and the ability to assert a private right of action for security breaches without having to show harm.) However, since the CCPA depends in large part on the California Attorney General’s regulatory authority and rulemaking process, Senator Hertzberg reasoned that as that process and the debate over the current pending privacy bills progress, a number of problems in the CCPA will be fixed.
The Senator also suggested that by the time the CCPA goes into effect in 2020, the government’s role will have diminished (and will continue to diminish over time). The Senator acknowledged that the real power to affect change and improve protections for consumers lies with companies themselves. The Senator foresees that companies will seek to build consumer trust and a positive culture into their business models.
Andrew Burt’s article, “Cybersecurity is Putting Customer Trust at the Center of Competition,”[4], agrees with Senator Hertzberg’s prediction. Burt emphasizes the need for companies to build consumer trust into their business model. Burt identifies three principles (based on companies that have succeeded in building consumer trust), that companies selling software or that are dependent on software (categories that are growing larger every day), can utilize in order to build consumer trust: 1) cyber security and privacy issues need to be front and center in product development (not afterthoughts) in order to establish consumer trust from the outset; 2) data privacy, protection processes, and parties responsible for these processes, need to be readily transparent to people within and outside of the company; and 3) companies need to manage expectations about cyber security and privacy risks. According to Burt, breaches are inevitable, and to behave otherwise undermines a company’s data protection efforts, in addition to the company’s credibility. Many experts agree that it is not whether a breach will occur, but how quickly a company can identify and remediate it, that is a more telling indication of how seriously a company views these risks. By incorporating better security and privacy protections, and then transparently sharing – and indeed, marketing – them, Burt concludes that companies can demonstrate the importance of trust in building business.
If Senator Hertzberg is correct, the CCPA will empower the consumer and will foster trust and a positive culture in businesses.
Footnotes
[1] The California Consumer Privacy Act: A Conversation with California Senator Bob Hertzberg,” Omni Hotel, San Francisco, CA, February 25, 2019.
[2] The definitions of both “personal information” and “to sell” are very broad, and the subject of much discussion, but these discussions are beyond the scope of this post.
[3] For instance, scholars have argued that users of Facebook, Google, Instagram and other internet services are, in important respects, these companies’ suppliers or even “workers” and should be compensated accordingly. See, e.g., Eric A. Posner and E. Glen Weyl, “Want Our Personal Data? Pay for It: The posting, tagging and uploading that we do online may be fun, but it’s labor too, and we should be compensated for it,” Wall Street Journal, April 20, 2018.
[4] Andrew Burt, “Cybersecurity is Putting Customer Trust at the Center of Competition,” Harvard Business Review, March 4, 2019.
Lynn Haaland, risk and compliance consultant, and former SVP, PepsiCo Deputy General Counsel, Global Chief Compliance and Ethics Officer, and Chief Counsel, Cybersecurity
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.