Data Privacy Laws

Pausing Changes Will Give Businesses Time Needed to Put Current Law into Effect

• The California Privacy Rights Act (CPRA) is not yet fully operationalized and it is unclear when it will be, given the delay of regulations.

• Efforts to identify “gaps” in the CPRA or to otherwise expand the CPRA are premature, since the CPRA is not yet in effect. New laws would only make compliance more difficult and elusive, ultimately undermining/weakening consumer rights.

• The CPRA is a comprehensive, technology-neutral and industry-neutral law, which is critical on an operational level. As such, the California Chamber of Commerce: (1) will oppose new efforts to implement special restrictions for specific types of personal information (PI) that already are protected by the CPRA, or specific restrictions based on types of technologies or industries collecting PI; (2) will not support efforts that wholly remove or restrict consumer choices by blanketly prohibiting certain activities; and (3) will actively oppose any efforts that would create confusion to applicable rules to certain subsets of PI or the industries or technologies used to collect personal information and/or would add a new private right of action to the CPRA or to PI-, industry-, or technology-specific legislation.

• The CalChamber believes it is critical to focus on enforcing existing rights and will advocate in favor of efforts to address compliance and help ensure that businesses can effectuate existing rights for consumers, as well as efforts that help make compliance less costly and burdensome.

California Consumer Privacy Act

In 2018, the Legislature passed AB 375 (Chau; D-Monterey Park et al., Chapter 55, Statutes of 2018), enacting the California Consumer Privacy Act (CCPA), in lieu of a competing initiative effort that was eligible for the ballot (initiative measure No. 17-0039, Consumer Right to Privacy Act of 2018). By undertaking this legislative effort, the Legislature was able to accomplish three major objectives:

• Allow greater participation and input from a variety of stakeholders to strike a better balance between competing interests;

• Incorporate tradeoffs that would add or enhance various consumer rights and protections on the one hand, and remove certain provisions to address workability issues/legitimate business practice concerns and otherwise limit liability exposure for businesses on the other; and

• Ensure that the Legislature could amend that law with a simple majority vote in most cases, as opposed to a two-thirds vote that was mandated by the initiative. As described in the AB 375 Assembly Privacy and Consumer Protection Committee analysis at the time of the bill’s passage:

“…in order to reach a legislative compromise on the issues surrounding the collection and sale of a consumer’s PI by a business, the authors of this legislation have sought to both add protections to the initiative, and remove various provisions that raised workability issues/legitimate business practice concerns and otherwise limit liability exposure. The tradeoffs to address industry concerns and counterbalance the consumer rights added within this bill, include the following:

“• the removal of the initiative’s whistleblower provisions;

“• a significant reduction of business’ liability exposure pursuant to consumer-initiated actions;

“• a right to cure, when possible, both in the public and private enforcement provisions;

“• a limitation of public enforcement to actions by the AG [Attorney General] and explicit authorization to receive guidance from the AG on compliance as the single regulatory entity;

“• a recognition of the ability of businesses to engage in various research-related activities, such [as] for internal research and development, or other allowable forms of research with specified safeguards that would both ensure informed consent and better protect the consumers’ information used in the research;

“• additional express exemptions, such as to exercise or defend legal claims, or for PI collected, processed, sold, or disclosed pursuant to certain federal laws, if the handling of the PI is in conflict with that [of] those laws.

“• language clarifying that businesses are not required to retain PI in situations where they would not ordinarily maintain that information (which would also undermine consumer protections);

“• authorization to engage in certain financial incentive programs, as specified, such as free subscription services in exchange for advertising where the value to the consumer is based on the consumer’s data, as long as the financial incentive program is not unjust, unreasonable, coercive, or usurious and is directly related to the value provided to the consumer by the consumer’s data;

“• a narrowing of the definition of ‘sell’ to remove reference to situations that do not involve valuable consideration; and

“• limit the obligation of businesses to reveal to consumers to whom the consumer’s PI was collected and shared with, or sold to or disclosed for a business purpose to, to ‘categories’ of third parties, as opposed to specific third parties.”

(See June 27, 2018 Assembly Privacy and Consumer Protection Committee analysis of AB 375 (2017–2018 Reg. Session), pp. 15-16.)

California Privacy Rights Act

Notably, although AB 375 was passed in 2018, the CCPA became operative January 1, 2020, which allowed businesses time to take necessary steps to operationalize the law. However, by November 2020, the 2018 initiative proponents, who were heavily involved in the AB 375 negotiations to obtain their agreement to remove the initiative from the ballot, succeeded in winning voter approval for Proposition 24, enacting the California Privacy Rights Act (CPRA). The CPRA not only changed and/or added new rights to the CCPA, such as the right to correct, but also removed key elements of the AB 375 negotiated compromises even before the ink on that law had dried. Two of the critical negotiation points that Proposition 24 removed included:

• the limitation of public enforcement to actions by the AG and explicit authorization to receive guidance from the AG on compliance as the single regulatory entity;

• the narrowing of the term “sell” to remove reference to situations that do not involve valuable consideration.

Like the CCPA, the CPRA included delayed implementation for nearly all of its provisions. Specifically, the act takes full effect on January 1, 2023. And once again, like what happened on the heels of passing the CCPA, the passage of the CPRA has not deterred efforts by consumer advocacy groups to move the goalpost again even though the updated data privacy law has not even taken effect, and implementing regulations for that act are not only behind schedule but will not be in place come January 1, the putative effective date.

In the prior 2021–2022 legislative session, a significant number of bills were introduced on the premise that there are gaps in the law for consumer protection in relation to specific types of PI; or the CPRA does not go far enough and should be strengthened because of the importance or sensitivity of particular data. That reasoning ignored that the CPRA is not yet operationalized, making such determinations premature, and that different consumers may consider different PI to be more or most sensitive.

Stakeholders should not be allowed to substitute their judgment for that of consumers when it comes to making such determinations. We saw multiple examples of this proposed in 2022 with SB 346 (Wieckowski; D-Fremont) and SB 1189 (Wieckowski; D-Fremont), which, if implemented, would have restricted the options consumers have in how their PI could be used.

Neither consumers who are the subject of protections, nor businesses that are the target of restrictions are monolithic. Such diversity of priorities does not necessitate or warrant separate restrictions for every type of PI or every industry or every technology; it merely speaks to the importance of a comprehensive-yet-flexible framework that applies uniformly. This approach recognizes that the more laws and regulations passed that take a piecemeal, PI-specific, technology-specific or industry-specific approach to privacy rights and public policy in this state, the harder it becomes for businesses to effectuate and deliver those rights to consumers in a comprehensive and effective manner. At minimum, it cannot be assumed that more restrictions will translate into better protections. A comprehensive, flexible framework has the added benefit of avoiding the Legislature picking and choosing winners and losers among industries and companies, where the privacy concern of the consumer is equitable.

In the last year, the California Chamber of Commerce opposed and defeated numerous bills that would have, for example:

• Applied extensive prohibitions regarding student PI when in the hands of proctoring service businesses only.

• Established significant new restrictions for biometric information along the lines of the Illinois Biometric Information Privacy Act (BIPA), ignoring not only that biometric information is protected under the CPRA, but that Illinois does not have a comprehensive data privacy statute along the lines of the CPRA — nor do any other states that have a BIPA-type statute. Having the CPRA in California directly undercuts the need for a BIPA statute.

• Imposed new restrictions based on the collection of PI by an in-camera vehicle or a smart speaker, but not for phone or home computers, which may capture the same data.

With alarming frequency, the argument has been that “the CCPA was the floor, not the ceiling.” This post hoc rationalization ignores the ramifications of returning to a piecemeal approach to data privacy. Relying on this logic as justification for adding to or changing the CPRA now ignores the reality that the so-called floor has not yet settled. Without a solid foundation, any effort to build that second or third floor is bound to crumble and potentially bring the whole house down to the detriment of both businesses and consumers alike.

This argument also relies on the false premise that to strengthen consumer rights, new laws must be passed. There can be as much, if not more impact, if adequate attention were provided on the back end to implementing regulations and compliance efforts, as well as public awareness efforts that help consumers understand and exercise their existing rights.

The CalChamber strongly believes that businesses and consumers alike would benefit more — that privacy laws could be strengthened — if the Legislature simply stopped moving the data privacy goalpost long enough for businesses and consumers to effectuate and exercise existing rights. Hitting the pause button on changing the rules long enough to allow the California Privacy Protection Agency to adopt implementing regulations in a stable legal environment will allow businesses the time necessary to put those rules and regulations into action.

CalChamber Position

The CalChamber opposes any new privacy legislation that creates carve-outs or special/disparate rules that would layer on top of the CPRA for only certain types of personal information, industries, or technologies used to collect the personal information. We also oppose any efforts to add a private right of action to either the CPRA, or to separate statutes that would apply to information that is otherwise protected under the CPRA.

January 2023