In Sacramento, the California Legislature has until the end of September to advance or kill a series of amendments to the California Consumer Privacy Act, before it becomes effective on Jan. 1, 2020. One pending proposal important to publishers could permit charging users for content if they won’t hand over personal data. A second exempts from privacy regulation consumer data which has been “de-identified” or aggregated.
The upstart search engine Duck Duck Go, which touts the fact it doesn’t collect information about individual’s search activity, joined the Electronic Frontier Foundation and Californians for Consumer Privacy on a bill to add a “private right of action” to the CCPA and make other pro-privacy changes. But lawmakers in May decided to bottle up the bill in committee, from which it is unlikely to emerge. Meanwhile, a set of amendments backed by big-tech are advancing.
For publishers, the most interesting is AB 1355, which has already passed the Assembly and is now in a Senate Committee. It would appear to allow a publisher to charge more for content if they refuse to provide personal data so long as such “differential treatment is reasonably related to the value provided to the business by the consumer’s data.”
Another Assembly-passed bill now in the Senate, AB 846, would prohibit a website’s “premium features” from “using a financial incentive practice that is unjust, unreasonable, coercive, or usurious in nature.” The effect of these amendments, if enacted, could be to encourage the establishment of a marketplace for valuing personal information.
AB1355 also removes from the definition of personal information “consumer information that is deidentified or in the aggregate consumer information.” The effect of the provision would be to exempt from regulation such aggregate deidentified information. The act, sponsored by Chau, defines “deidentified” as information “that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided the data’s controller “has implemented technical safeguards that prohibit reidentification of the consumer…implemented business processes that specifically prohibit reidentification…[and has] business processes to prevent inadvertent release of deidentified information…[and] makes no attempt to reidentify the information.”
A second amendment to CCPA which has cleared the Assembly and is in Senate committee makes it clear that any personal information obtained from a public-records type source may be used in any way by whoever obtains it.
The other thing happening sometime in the early fall will be release of regulationsi nterpreting many aspects of the CCPA by California Attorney General Xavier Becerra.