On September 13, 2019, the California Legislature adjourned with numerous CCPA amendments ready for the signature of Gov. Gavin Newsom. Two amendments that ultimately passed, AB 25 – which provides a one-year moratorium on CCPA’s application to employee, beneficiary and emergency contact information, and AB 1355 – a broad-ranging amendment to the law, are particularly helpful for business owners. Other changes to CCPA, including AB 1146, AB 874, and AB 1564 either do not alter in any material way the spirit or intent of the law or are redundant to changes found in AB 1355. There was also one proposed amendment – AB 846, that was withdrawn for consideration until next year but would have greatly enhanced the protections found in CCPA by creating a private right of action for notification and data usage failures.
Three of the changes found in AB 1355 are noteworthy given in some very real ways they chip away from the consumer-first thrust of CCPA. First, by modifying the definition of “personal information” to mean “reasonably capable of being associated with” a particular consumer or household, instead of just “capable of being [so] associated”, CCPA may get a reasonableness component that would give companies a strong new argument when defending a private action breach claim. Moreover, the AB 1355 amendments explicitly state that deidentified and aggregate information are exempt from CCPA – in effect, potentially giving social media platforms a sought-after CCPA safety hatch.
And finally, the AB 1355 Amendment states that the reasonableness of charging a different price or rate or providing a different level or quality of goods or services for the use of data should be measured in relation to the value of the personal information to the business and not to the consumer – as it was initially drafted. Given that most social media platforms and data brokers actually place very low values on specific consumer data, this change is of obvious great significance. Not surprising given the heavy lobbying, these and other changes actually benefit data merchants to the detriment of consumers.
AB 1355 is significant for other reasons.
On September 10, 2019, fifty-one CEOs wrote a letter to Congressional leaders asking them “to pass, as soon as possible, a comprehensive consumer data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.” The signatories to this letter come from a broad range of industries, including retail (Walmart, Amazon, Target, Macy’s), banking (JPMorgan Chase, Bank of America, Citigroup), card brands (American Express, Visa, Mastercard), technology (Salesforce, SAP, SAS Institute, IBM, Dell, Qualcomm), as well as consumer goods and pharmaceutical (Bristol-Myers Squibb, Johnson & Johnson, Procter & Gamble), insurance (Chubb, New York Life Insurance, Principal, State Farm, USAA), and media-rich telecommunications (AT&T, Comcast).
Conspicuously absent from this list of companies are the two largest beneficiaries of Business Roundtable’s privacy initiative – Facebook and Google.
As set forth in their CEO letter: “Business Roundtable has released a Framework for Consumer Privacy Legislation (attached to this letter), which provides a detailed roadmap of issues that a federal consumer privacy law should address.” If one takes a look at this proposed Business Roundtable Framework, Facebook and Google’s sought-after end game comes better into focus – which is especially impressive given that neither company is even a current member of the Business Roundtable.
Business Roundtable’s Framework proposes that a new federal law “establish a national standard for breach notification that preempts state laws” and prevents the “state-by-state approach to regulating consumer privacy.” As well, the Business Roundtable Framework specifically also states that “[a] national consumer privacy law should not provide for a private right of action.”
Apparently, everything may fall into place for those who feast on consumer data. First, CCPA may have been weakened sufficiently to make 2020 not nearly the onerous compliance year most companies expected – especially since the tabling of AB 856 and its creation of a new right of action for breach of CCPA’s consumer notification and use provisions. Given California’s privacy statutes may very well end up being the model for a federal law, weakening CCPA before pushing for a federal law was the necessary initial step in this two-step dance.
And secondly, as shown by the September 10, 2019 CEO letter to Congressional leaders, there is a broad coalition of companies seeking both federal preemption as well as the express killing of a private right of action – the two requirements needed to push back consumer-friendly state initiatives and class action lawyers. Class action lawyers and fiercely independent states – such as Maine and Vermont, are largely immune to lobbyists.
While others may have publicly taken up their fight, Google and Facebook are smoking cigars in a dark backroom somewhere laughing at how brilliantly their plan may ultimately play out.