The Boldest American Consumer Privacy Statute in a Generation is in Flux
The most important part of a privacy law are the definitions. Get them wrong and the rest of the statute doesn't mean much. Over the last month, a quiet drama with major stakes (and a hopeful ending) unfolded around the definition of "personal information."
It's a drama worth understanding because it will play out again and again as new privacy laws make their way through local, state, and national legislatures. The California Consumer Privacy Act (CCPA) went into effect on January 1st, giving consumers far more control over the data that companies collect about them. But while CCPA's language hasn't changed since the fall, the regulations implementing CCPA are still in flux.
What is "personal information"? #
Our story begins on February 7th, when CA's Attorney General added to the draft regulations Section 999.302, "Guidance Regarding the Interpretation of CCPA Definitions." The new guidance would have crippled the CCPA. For example, suppose a free adult video site, IPporn, logs every video watched along with the associated IP address. It stores no other session or user information. Under the most obvious reading of Section 999.302, the log would not constitute personal information. IPporn could, for example, tweet out every IP+video record publicly. Any other website could easily learn a user's kinks by simply searching Twitter. Clearly, this is not the intent of CCPA.
CCPA governs the use of "personal information." Let's look at the definition (1798.140(o)(1): *"'Personal information' means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.' *Under this definition, personal information definitely includes information that "could reasonably be linked" with a particular household, no question about it. The earliest draft regulations didn't elaborate on the meaning of "personal information," but on February 7th, the Attorney General added new "Guidance Regarding the Interpretation of CCPA Definitions":
- 999.302(a) Whether information is “personal information,” as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked [sic], directly or indirectly, with a particular consumer or household.” For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”
The latest guidance presents serious contradictions to the original intent of CCPA #
First, the new guidance distinguishes between what a specific business can do with data and what can be done with data more generally. The original definition demands protection of information if it can be reasonably linked with a particular household by anybody. In contrast, the draft regulation only requires the protection of information if it can be reasonably linked by the business. It suggests that to free personal information from CCPA protection, a business doesn't have to make the information less identifiable, but to handicap its own identification capabilities.
This is something industry critics of CCPA (who want to weaken the law) have been begging for. Their argument is that you can't expect every mom-and-pop data company that peddles in the personal information of 50,000 people annually to be able to figure out what leet MIT hackers can do with data. That argument makes some sense, and it's clear that a lot is riding on the meaning of "reasonable" in CCPA's definition of personal information.
However, this distinction yields a nonsensical policy. For example, CCPA makes it illegal for a business to publicly tweet its users' personal information. But if the business can't reasonably link it to a household, then it's not personal information. And if it's not personal information, CCPA doesn't apply. Tweet away. Of course, what should matter from a policy perspective is what the recipients of that information—anybody on the internet—can do with it. Maybe I'm reading it wrong. That can't be what they mean, right? Wrong!
Second, it is, in fact, wrong, because they illustrate their point with the worst possible example: IP addresses. A typical household's IP address (say, on a family desktop) stays the same for months or years at a time. During that period, every webpage they visit sees the IP. If anything "could reasonably be linked to a specific household," it's an IP address. CCPA mentions IP address explicitly twice, but the draft regulation would make it possible for IP addresses to not be personal information. If the business doesn't keep around other information needed to link the IP address to the household (it's hard for me to write that phrase it's so vacuous), then the data is free from CCPA.
Third, under 999.302, personal information no longer includes all information that could reasonably be linked with a particular household. It only includes information that is "maintained in a manner that could be reasonably linked" with a particular household. Compare with the statute's language. The guidance focuses the definition of personal data on the form of the data: how it's maintained. It sidelines the power of the data: what can be done with it. For a data privacy regulation, this is backwards: the power of data, not its form, is what matters. I've made this point before in a piece on ambiguities in the law's definition of "probabilistic identifiers" and calling for regulatory clarification.
The latest guidance, if enacted, could enshrine the worst interpretation as the main definition of "personal information" #
Let's go back to our adult video site IPporn. If the IP+video log doesn't fall under the new exception established in the draft regulation, I don't know what does. According to the regulation, it's not personal information and IPporn can do whatever they want with it, like tweet, making people's porn habits all but public. Like I said, this is astonishing. Section 999.302 has no place in the final regulations. By distinguishing what a specific business can do with data and what can be done with data more generally, the draft regulation would gut the boldest American privacy statute in a generation.
The Attorney General accepts public comments after every revision of the regulations. About 100 were submitted, only a handful mentioning Section 999.302. Most comments applauded the new language—not because they didn't appreciate its significance but because they appreciate its significance. Undoubtedly the most important comment, however, came from Senator Hannah-Beth Jackson, Chair of the Senate Judiciary Committee: "One specific area that I find sacrosanct is what is considered 'personal information' for purposes of the CCPA . . . . I believe that Section 999.302 of your modified proposed regulations weakens the very definition we have been fervently protecting."
When one of CCPA's key senators expresses "deep concern" over your regulation, you listen. On March 11th, the Attorney General published the third draft of the CCPA regulations, striking Section 999.302 altogether and opening a round of public comments. The regulations are still in flux, and you can be sure that the industry groups that applauded Section 999.302 will pressure the Attorney General to re-introduce similar language. Comments can be submitted about this issue through March 27, 2020.
_This is an abridged version of a piece originally published by Protego Press_.