3. California Senate committee OKs bill that privacy advocates say weakens CCPA’s handling of “deidentified” data; watch Aug. 12; premium-services charge apparently maintained
A California Senate Committee reversed itself and unanimously approved a proposed amendment to the California Consumer Privacy Act. The amendment would weaken handling of “deidentified data,” say privacy proponents.
The move comes as Aug. 12 emerges as the next key date for observers to figure out whether the CCPA will be amended before it takes effect Jan. 1. The California Senate was to adjourn for summer recess on July 12 and return Aug. 12. On that date, multiple CCPA-amending bills are scheduled for committee hearings.
On July 9, the Senate Judiciary Committee, meeting for nearly 12 hours in Sacramento, approved and rejected various amendments to the CCPA that had already been through the California Assembly. One of them, AB 873, proposes to change the definition of “deidentified” information. First, the committee deadlocked 3-3-3 on the measure, but then on a move to reconsider, approved it 9-0.
The amendment would also add the word “reasonably” in two places where “personal information” is defined, making it easier for data companies to argue they aren’t responsible for a data hack exposing personal information in an “unreasonable” way.
The “deidentification” issue is important for advertisers, publishers and other data aggregators, who are seeking ways to continue to personalize ads and content to individuals’ interests without having to know each individual’s unique attributes. The proposed amending language would substantially lighten the burden on data-tech companies handling deidentified information.
Here is how the CCPA defines “deidentified” (emphasis added):
(h) “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(2) Has implemented business processes that specifically prohibit reidentification of the information.
(3) Has implemented business processes to prevent inadvertent release of deidentified information.
(4) Makes no attempt to reidentify the information.
Here is how AB 873, in the form passed 9-0 in committee last week, defines “deidentified”:
(h) “Deidentified” means information that does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to:
(1) Ensure that the data is deidentified.
(2) Publicly commit to maintain and use the data in a deidentified form.
(3) Contractually prohibit recipients of the data from trying to reidentify the data.
Another CCPA amendment that would confirm the right of publishers to charge for “premium services” after a consumer refuses to share personal data appeared to survive and was sent to the California Senate Appropriations Committee on an 8-0 vote. AB 846, if it becomes law, would state that a publisher or other entity is permitted to charge a different price, rate, level, or quality of goods or services,” if a consumer declines “participation in a loyalty, rewards, premium features, discount, or club-card program.”