As submitted for the comment period on Initiatives – Active Measures for Initiative 19-0021 on November 8, 2019.
Dear Mr. Mactaggart,
As privacy practitioners, we share your passion and dedication to the development of information privacy and data protection law in the United States. We acknowledge your achievement in pushing for the enactment of the California Consumer Privacy Act (CCPA) and contributing to the ongoing national conversation to advance privacy rights. Your commitment to these issues is clear, and we commend the seriousness of your work in addressing privacy rights in accordance with your vision.
We write in the spirit of constructive development of privacy regulation, and offer the following comments in the hope of contributing to the goal we share with you: improving the quality and effectiveness of U.S. privacy and data protection law while ensuring the continued innovation and flexibility that so benefit our society. Although we often advise the regulated community on privacy and data protection matters, the views expressed here are our own.
At the outset, we note that there are important improvements in your proposed initiative relative to the enacted CCPA. Many of your new initiative’s provisions could serve to move privacy and data security law in a positive direction. In this vein, we note the following:
- Transparency. Greater transparency on uses of data and profiling helps people understand how their data is used and how it may affect their choices and daily lives. Similarly, where opaque logic and automated decision-making about significant matters are at issue, businesses owe data subjects the benefit of an intelligible explanation. That is only fair. We thus support your initiative’s focus on this topic, which will encourage businesses to focus carefully on digital governance, help the public understand what the risks and benefits of data use are, and allow regulators to act where such uses are unfair, abusive or discriminatory.
- Downstream obligations. We also support your initiative’s mandate for downstream obligations on third parties to notify transferring entities about significant data privacy incidents and unauthorized uses. Similar to what is already required with respect to data security incidents under federal financial and health privacy law, and more broadly under all 50 U.S. state data breach laws, third parties entrusted with sensitive personal data on behalf of another entity should notify the data “owner” about privacy violations and abuses that arise within their responsibility or custody.
- Household information. Your sensitivity to intra-household access rights is well placed and deserves support. People can feel extraordinarily strongly about not sharing certain information, such as browsing history or viewing data, with their parents, spouse, children or roommates, even when they are all living happily (hopefully) in the same household. The initiative’s recognition of this real-world sensitivity is a good thing.
- Cyber risk assessments and audits. Your proposed requirement that large data processors undertake annual cyber risk assessments or audits could help promote enhanced data security (and is in line with what many responsible large data processors already strive to do).
- Publicly available information. Your expansion of what constitutes “publicly available information,” and is thus not personal information, is also well taken. Voluntarily publicized and widely distributed information—in addition to government records—should not be treated as private information. That revision from CCPA 1.0 simply makes good sense, conforms to practical reality, and respects the free flow of information.
That said, while we believe these and other aspects of your ballot initiative are salutary, we are concerned that some aspects of the initiative may not deliver the benefits hoped for, or could otherwise be unworkable or unduly burdensome – especially for smaller entities. That is why we would ask you to revisit the extent to which your initiative takes account of the full range of factors implicated by information privacy and data protection regulation, and balance those factors as necessary in the overall interest of the citizenry.
Such balancing is necessary because, while privacy is a fundamental and foundational right underpinning freedom itself, privacy rights are not absolute. The protection of privacy can affect other rights, interests and freedoms that empower people to speak, to receive information, to conduct business, to create intellectual property, and even to be secure. Moreover, balancing these interests recognizes that not all privacy harms are created equal. Consumers do not and need not worry the same amount about all collections and uses of their data. Formalistic requirements that do not account for these differences and gradations of privacy harms will impose burdens without necessarily providing commensurate protections against actual risks. It can also eliminate the ability of data subject to exercise choices.
We thus recommend that the provisions of your new ballot initiative balance privacy harms against the impact the regulation of those harms would have on other rights and freedoms. In particular, we would recommend empowering the data protection regulator your initiative would establish to take account of these other rights and freedoms in making its enforcement decisions. An appropriate framework for such consideration was articulated in September 2019 by the Court of Justice of the European Union.
In considering the EU’s version of the “Right to Be Forgotten” under that jurisdiction’s General Data Protection Regulation, the CJEU stated:
“The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter [of Fundamental Rights] as enshrined in the [EU] Treaties, in particular the respect for private and family life, … the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information [and] freedom to conduct a business …”
This dedication to “proportionality” seems both important and correct. In short, the farther afield you get from privacy harms that are unreasonably offensive to the average person, the greater the risk your proposed rules may impose disproportionate constraints and burdens on other rights, the full range of interests and functions of society, and legitimate economic activities.
We believe you share a vision of a privacy and data protection law that serves the overall best interests of the people of California and the Nation. Indeed, this logic is present in one of your initiative’s recitals, which professes that privacy regulation “should be implemented with the goal of maximizing consumer privacy, while minimizing business regulations that do not advance that goal.”
We also know that striking the proper balance on many of the topics addressed by your initiative is complex, and that reasonable people can disagree on the optimal outcome. However, we identify certain aspects of your initiative where we believe a second look is warranted.
- Minimization and purpose limitation. We agree that the initiative’s mandates toward the minimization of collection and retention of personal data, and purpose limitations, can be reasonable objectives for good information practices. At the same time, we worry that inflexible minimization and purpose standards may impede the development of useful new data applications as well as new insights from technologies like machine learning. We would thus encourage you to consider these mandates through this lens before finalizing your initiative.
- Portability, access and rectification. Similarly, “portability” is a worthy goal in principle, but achieving this convenience is far from costless and may not always be consistent with optimally incentivizing (and rewarding) new business models that benefit society and that consumers may want. The standardization that such interoperability would require may also have unintended impacts to competition.
Moreover, we commend you for recognizing that requiring access to system log data or other technical information may not be useful for consumers to receive, but could impose considerable and incommensurate compliance burdens for the production largely irrelevant data. We would respectfully suggest that you make the initiative’s mandate to issue regulations to minimize the costs of delivering data that is not useful to consumers even more direct than it is now. Similarly, allowing rectification rights without some standard for materiality or relevance to consumers could also impose unjustified burdens. Indeed, we note that under the EU’s General Data Protection Regulation numerous obligations of data controllers are expressly qualified where they “prov[e] to be impossible or would involve disproportionate effort.”
- Time horizon of access requests. While we understand why you want consumers to have access to the full picture a business has of them, your initiative’s contemplation that consumer access rights could reach back beyond the prior 12 months may impose disproportionate burdens. While your language explicitly recognizes this, to raise the specter of limitless backward searching may expand compliance burdens beyond the commensurate benefits. It is thus worth considering how to cabin this right to appropriately balance the burden (and incentivize good data hygiene and data retention practices).
- Pseudonymous information. We do not believe that exchanging inferences and tailoring advertising on the basis of pseudonymous information should be treated as the equivalent of trafficking in sensitive personal information for marketing purposes. We thus encourage you to recognize the gradations in potential harms that may stem from varying degrees of profiling and the use of information with varying degrees of sensitivity. To that end, as you know, pseudonymization can be an important privacy enhancing technique.
- Right to cure. Applications of privacy law to new technologies, business models and evolving consumer expectations will continue to be a challenge, even when companies that have mature compliance programs continuously strive to do the right thing. We were disappointed to see that your initiative eliminated the CCPA’s right to cure alleged privacy violations. We think it is a mistake to move away from a progressive approach to enhancing compliance in favor of “gotcha” enforcement and penalties.
- Data breaches. As you know, companies, organizations, and even the most secure of government agencies can be victims by cybercrime despite the fact that they had implemented reasonable security—or even near perfect security. As the Eighth Circuit U.S. Court of Appeals has noted, suffering a data breach is not in itself evidence of unreasonable or inadequate security. We believe this proposition is self-evident as a matter of broad experience and common sense. Cyber attackers only need to find one obscure or yet undiscovered weakness, often of the human variety, even if 99.9% of the system is impregnable.
Thus, while we understand the need to assure protection against losses suffered by victims of a data breach, we hope you will modify your initiative to diminish the risks of statutory damages for businesses that are also victims of criminal activity despite their having implemented reasonable security. In particular, we believe it makes good sense to recognize a safe harbor whereby companies can implement and attest to compliance with specific, reasonable technical and organizational standards (perhaps like those highlighted by then-Attorney General Kamala Harris in 2016). Such companies would be presumed compliant unless plaintiffs can plausibly allege that a data security incident resulted from an overall information security program that, contrary to their commitment to the safe harbor, was unreasonably designed or unreasonably implemented. Again, as the Eighth Circuit—and the Federal Trade Commission—has stressed, cybersecurity incidents can happen despite a reasonable program, or even a particularly strong one.
We also ask you to consider whether the statutory damages your initiative would authorize will incentivize appropriate investment in data security, or simply encourage large settlements that may not correspond to customer injury, programmatic negligence, or commensurate fault. Similarly, we believe it would be appropriate to revisit the language of your recital regarding holding organizations accountable for data breaches. The fact of a breach should not alone establish liability but, rather, the failure to implement reasonable security that leads to a breach. The language of the recital is inconsistent with the language of the relevant substantive text.
On a more granular level, we call your attention to the “employee” carve-out you provide in your new initiative. Because of a double negative at the beginning and end of the subsection, we believe the exemption may not be effectuated as you likely intended unless the language is revised.
We also believe it would be beneficial to clarify that achieving an optimal balance for data privacy rights together with other rights and interests of society is “consistent with and [would] further the purpose and intent” of your initiative. Thus, the California legislature should be authorized to amend the Act in the overall best interests of the citizens of California even if it means modifying provisions where experience indicates that certain privacy protections are not working as intended or are impeding the best interests of the State’s citizens.
Finally, we note that, despite your efforts to limit your initiative’s extraterritorial effects by, e.g., exempting conduct that “takes place wholly outside California,” it is clear that the initiative will very substantially affect entities throughout the country. This is inevitable when a State with the size and reach of California regulates activity that crosses borders as porously as digital information. We nonetheless think it would be appropriate for you to take a second look at these extraterritorial effects – and, in particular, the interstate compliance burdens the initiative might place on entities that operate outside the State and have relatively little contact with its residents. Indeed, in such circumstances, the compliance costs and complexities faced by those entities would likely outstrip privacy benefits that accrue to California consumers.
Thank you for considering our views. If it would be of value to you, we would be pleased to engage further with you to address the issues we have raised.
Alan Charles Raul
Colleen T. Brown
Christopher C. Fonzone