2. Privacy advocates appear to win — for now — over tech-industry efforts to water-down CCPA in committee
Privacy advocates were evaluating this week the outcome of a Tuesday session of the California Senate Judiciary Committee, which took action on several amendments to the California Consumer Privacy Act (CCPA) at a marathon hearing which ran into the evening on July 9.
The Electronic Frontier Foundation had opposed all the measures on privacy grounds and praised the committee for rejecting, for now, AB 873 which the EFF said: “would make it easier for businesses to force consumers to pay for their privacy rights under the guise of loyalty programs.” The measures defeated or sidetracked by the committee would have “eviscerated” the CCPA, the group said. It has been joined by the ACLU and Consumer Reports in its opposition to weakening the law by amendment.
One report on the 12-hour hearing by Cheryl Miller at Law.com was headlined: “Tech’s Efforts to Diminish Landmark Privacy Law Fizzle, for Now” — the first significant defeat for tech companies.” The amending bills are AB 1416, AB 25, AB 873, AB 846 and AB 1564.
Attorney Alexia C. Chapman of the firm of Ballard Spahr LLP summarized in a National Law Review post the outcomes on four key measures. She wrote that the committee modified but advanced AB25, to exempt certain employment data from CCPA. It also amended and approved AB1564, which now reduces the situations in which a web service has to provide a phone number — in addition to an email address — for consumers to discuss or opt-out of data use.
Chapman wrote that the committee deadlocked 3-3 on AB873 — a tech-industry effort to de-regulate some types of personal information and make it easier to define other information as “de-identified”. That means the measure — for now — is stuck in committee. And it tabled AB1416, which would have allowed third parties to sell user data for purposes of detecting security incidents or to protect against malicious actors.
AB873 would eliminate data such as IP addresses from being included in its definition of “personal information.” And it had been amended to define “de-identified” information as:
“[I]nformation that does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to:
Ensure that the data is de-identified.
Publicly commit to maintain and use the data in a de-identified form.
Contractually prohibit recipients of the data from trying to reidentify the data.
The Legislature has a self-imposed July 12 deadline for committees to report bills to the floor. But there are already other measures related to the CCPA which could be extensively amended by floor action based on the outcome of negotiations among lobbyists, industry, and lawmakers. That could allow a revisit of all aspects of the law, which takes effect Jan. 1. Ryan Johnson, writing at StateScoop, quoted an American Civil Liberties Union statement as saying the effect of the measures considered by the Senate committee, if all had passed, would have been to sell “vast amounts of data, purportedly for anti-fraud purposes.”