Definition of 'sale' looms as enforcement issue for landmark California privacy law
02 Apr 2020 12:44 pm by Amy Miller
Legal challenges to California's sweeping new privacy law are inevitable.
Business groups, legal scholars and conservative politicians alike have argued that the California Consumer Privacy Act is unconstitutional, primarily on the grounds that because it seeks to regulate commerce outside California's borders, it conflicts with federal law.
But another legal issue appears likely to end up in court: the CCPA's definition of sale. That could be one of the thorniest issues facing the new law, which gives consumers the right to know what information companies collect about them and the right to block companies from selling it to third parties.
Wealthy tech companies with deep pockets are already challenging the CCPA's requirement that companies create an online button consumers can click to opt out of the sale of their personal information. Both Facebook and Apple said recently that they don't have to offer an opt-out button.
Facebook said in a blog post that while it will provide all users around the world with CCPA-mandated compliance tools to let them view or delete their personal data, it doesn't "sell" data, as defined by the CCPA.
Apple also doesn't plan an opt-out page, arguing that its data-collection practices don't constitute a sale under the CCPA. The iPhone maker says it has performed an extensive analysis and mapped its data-collection and sharing practices and found that it doesn't sell data for purposes of the CCPA.
The Interactive Advertising Bureau has also suggested in a compliance framework for the CCPA that some online advertisers plan to rely on a business-purposes exception, and contend they aren't "selling" customers' data when they contract with ad-tech companies to transfer data for ad-targeting purposes.
California Attorney General Xavier Becerra didn't take a position on Facebook and Apple's claims in a recent interview with reporters, but did say companies shouldn't believe they can use consumer data "for their own ends" without answering to consumers.
He said his office will try to make the CCPA's provisions "as clear and unambiguous as possible," and will help companies "understand our interpretation of the law," before and after it takes effect on Wednesday.
Under the CCPA, a "sale" of personal information is defined broadly as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means," which can be done either "for monetary or other valuable consideration."
That means that if personal information is provided as part of a business relationship, a "sale" may have occurred even if no actual money was paid for the data. A website may be "selling" personal information by passing it to third-party ad networks through cookies, for example.
However, companies argue there is much uncertainty. What does "valuable consideration" actually mean? Do all disclosures of data to a third party constitute a sale of personal information?
A wide range of companies and business groups have told Becerra in public comments that they are concerned about the unclear definition of sale in the CCPA's proposed implementing regulations, which are expected to be finalized before enforcement begins in July.
Neither the CCPA nor the proposed regulations provide guidance on how to ensure compliance with respect to this common practice. They want Becerra to provide clarity.
Other parties, such as the privacy-based Internet browser Brave, told Becerra the definition may be too permissive. Companies can share personal information with other companies and benefit without there being a formally defined valuable consideration, the website's policy chief said.
"This occurs, for example, in the 'real-time bidding' online ad auction system, where personal information is shared among thousands of companies," Brave said in its filing. "We fear that this activity would not be captured by the concept of 'selling'. This is a grave concern, because real-time bidding currently broadcasts what every person in California reads, watches, and listens to online billions of times a day."
A collection of privacy groups including the American Civil Liberties Union urged Becerra to "make abundantly clear without waiting to signal what the law requires through an enforcement action that 'sale' under the CCPA includes the most pervasive and invasive form of information sale: passing information for targeted advertising."
It's unclear for now whether Becerra will choose to challenge in court some companies' belief that they don't sell data under the law.
The state legislature has allocated about $4.5 million a year to the California Department of Justice to enforce and defend the CCPA. That money will pay for 23 additional positions, including eight deputy attorneys general, eight legal analysts, six clerical staffers and $250,000 a year for expert consultants.
The state DOJ estimates it will bring at least two lawsuits a year and devote about 15,000 hours a year to investigations and prosecutions under the CCPA, budget documents show. But the agency also told lawmakers that "these estimates may reflect a minimum."
Consumers currently only have a right to sue companies under the CCPA if their personal information has been compromised in a data breach. But ambitious plaintiffs' attorneys could also try to expand that private right of action against companies, especially if they mishandle personal data that they argued they don't sell under CCPA.
Some clarification could also come from Alastair Mactaggart, who helped author the CCPA. He's proposed a second ballot initiative to strengthen the law, which would expand the definition of sale to be the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration, or otherwise for a commercial purpose, including but not limited to cross-context behavioral advertising."
But first, he'll have to collect about a million signatures to get the initiative on the ballot next November.
As the EU marks the second anniversary of GDPR, large US tech companies should prepare for regulatory enforcement in the months ahead.
22 May 2020 4:28 pm by Vesela GladichevaAs the Irish privacy watchdog sends its Twitter probe off to EU counterparts for review today, it will doubtless hope for quick, constructive feedback.
21 May 2020 7:29 pm by Amy MillerClearview AI is invoking a legal shield used by social media companies hoping to defeat Vermont privacy lawsuit