The ballot initiative was pulled, the law was passed. But will the California Consumer Privacy Act (CaCPA) move forward to be one of the most significant steps in data privacy law or will the law be watered down through the revision process. This is a big test to see how California handles data privacy and it is sure to impact what other States attempt. In this episode of “Are You DataSmart?” the Ward brothers dive into the proposed changes to CaCPA and what you can expect going forward.
Jay: “Are You Data Smart?” A weekly podcast on data security, information management, and all things related to the data you have, how to protect it and maximize its value. I’m Jay Ward.
Christian: And I’m Christian Ward. Today, we’re gonna discuss the changes that are likely to continue to happen to the California Consumer Privacy Act. Jay, the CCPA, or the California CPA, or the…was it AB 375?
Jay: Five, mm-hmm.
Christian: Lots of names, so even the name’s changing. But as we’re looking at this, I saw on my Twitter feed a post from Angelique Carson who is the editor of the IAPP’s “Privacy Advisor,” it’s a great monthly publication, lots of different viewpoints. But she did a whole great write-up about the California Consumer Privacy Act and how it was passed, the unlikely three-person team of the financier and the CIA, you know, it’s just a clancy now we’re waiting to happen. Actually, kinda glad it didn’t go quite-so-Clancy, they all seemed to be alive and well given her interviews. But the fascinating thing is, it’s now available since it did not go through the ballot initiative and it was passed by the legislature and what appeared to be, you know, a havoc of the last 72 hours. It doesn’t really seem like that’s what’s happening, it seems like there were a lot of changes that weren’t expected, some of them are coming through. And last week, the first technical changes or technical guides were announced. What are you seeing, what’s the first big thing that’s changed?
Jay: I think the biggest issue…it’s not even really an issue, it’s more about the capping some of the potential damages. So, limiting penalties to $7,500 per instance for the California Attorney General lawsuits, sort of, cabining the AG’s power. There’s, sort of, a small proviso that changes the way you can bring a personal cause of action, so it’s really just for unencrypted or unredacted data that gets out.
Jay: And, again, in the bill…
Christian: Like truly naked data, like… Yeah, yeah.
Jay: Right. If you remember the Panera breach earlier this year, where they had just everything kept in plain text on a website. It was like a Geocities’ site, you know, there’s like a dancing baby on the top, he’s like, “Here’s your social security number.”
Christian: That’s right.
Jay: I’m just kidding, I love Panera. So, there’s a little limitation on the possibility for damages, and then, some cabining of the personal identification, definition, so personal information.
Jay: And to me, that’s actually the most meaningful because there’s always gonna be a push on the nature, scope, extent, and size of damages, that’s always gonna happen.
Christian: Which I think is, according to Angelique’s article on there have been other reports, it’s the main thing that the big technology companies initially were like, “Hey, wait, you can’t have this,” and your personal right to action of $1,000, for instance, mean that the numbers got so astronomical so fast that… I get that, I think that’s a legitimate business concern, I don’t blame any of them for going after that. But the definition of what is personal information, that’s really where we see some fascinating maneuvering to really limit the scope of the law.
Jay: Yeah. So, there is just a massive lobbying effort underway right now. And, you know, people talk about, well, it was passed and done in 72 hours and all of this other kinda stuff about the bill, almost in an attempt to denigrate the passage of it. But they passed the bill.
Christian: Yeah, but it’s also not. And I think she…I don’t know if it was Angelique’s article or another one that I was reading yesterday, but they also talk about that’s not really what happened, it was months and months of negotiations.
Jay: Of course.
Christian: And it was just, you know, yes, did they have sort of a bullet to the Legislature’s head to say…or a gun to the head saying, “Hey, you have to get this done?” But they all really were talking for months about this. I think the concern was, once the deadline passed, now there really is no urgency to prevent or to block. The only thing that’s gonna keep this thing in check is if almost, like, private citizenry or legislature, you know, decides actually this is a really important issue, and we’re not gonna water this thing down so much that, you know, it finds its way to the useless category.
Jay: Well, and that’s, I think, what’s an interesting facet about all this, you know, they’ve been saying there was a lot of people who are unhappy about its passage, but it passed and now it’s on the books. So, the lobbying effort that wasn’t able to happen during that period when, to be honest, people just weren’t paying attention, now there’s this furious effort, you know, to change it. And the tech groups, the largest tech companies are lobbying, not just in Sacramento, but in D.C.
Christian: In D.C. Yeah, that’s right.
Jay: And it’s gonna be an uphill battle. There’s a lot to talk about in terms of the development of privacy law in the U.S., there’s like four or five different proposals that are currently out. But the idea that the federal government, right now, is going to produce a law that not only regulates privacy across sectors but does it in a way that preempts state law, I don’t see it.
Christian: You’ve already talked about this. This was like just…yeah.
Jay: Not gonna happen.
Jay: So, it may happen eventually, but there’s a tenuous relationship in my mind between what’s being discussed in Washington now, which is like FinTech changes, or, you know, really limited changes to, like, the NIST guidelines, but that’s not, like, a big law that’s gonna come out. It’s not the American GDPR. So, the real question in my mind is not how are we gonna, you know, talk around the edges of, you know, the amount of potential damages? I mean, we gamed it out in the Yahoo breach, it was like a $300 billion.
Christian: Yeah, I mean, it wasn’t that bad.
Jay: I’ll take it. I mean, $300 billion, I’ll take that. But, for me, it’s the personal information, that’s the most important thing. And California did this interesting thing in the law where they didn’t make it about an individual data subject, the language is all about consumers or households. And there’s a lot of interesting philosophical questions about why they went with that. Consumer is typically the way that California puts these laws into place because they’ll sort of emanate from California’s approach to the Unfair Competition Law and the false advertising law, those were like the really robust baby FTC Acts that California has. So, this law is still sort of within the framework of consumers but they added in this household language. So, now, the question is, when we’re defining personal identification under Cal CPA, are we talking about an inferential leap from data I have about you, Christian, as a dad to the rest of the kids? Because if the data doesn’t pertain to you, it pertains to the kid, there’s a lot of questions here, and there haven’t been, so far, any major changes to the definition of personal information.
Jay: And it’s broad. I mean, even looking at it, it’s personal information if it identifies, relates to, describes, is capable of being associated with or could be reasonably linked directly or indirectly with a particular consumer or household.
Jay: That’s in some ways broader than GDPR.
Christian: Yeah. It makes me laugh because…I mean, my own look in our household, there were nicknames for everybody, and even my daughter, you know, I could call her Red, one of my daughters. And it’s kinda funny, that’s both the descriptor and her name, but the issue is, people are trying to get their arms around if I have a partial photo of me and they’re in the background, and one could reasonably identify them in the photo, then that’s personal information, certainly according to the GDPR. How that sorta translates here in the U.S. would be fascinating to watch. I don’t think California, as you said, is going to drive the whole country’s agenda, but I think if we end up with 30 or 50 different definitions, because some states are likely to get together and at least decide similarly, but if we end up with a ton of different viewpoints, then there comes a need for an overarching understanding, and whether that’s a federal interpretation or how that would get done. The other issue that I see is, there was a discussion about whether something included a sale. And you and I talked about this when we saw the first draft of the ballot initiative, not the law because it talked about sale.
And one of my major concerns with this is, and has always been, the vast, not necessarily misuse, but use of this data today is to build audience information, to market, and to target people with advertising, or outreach, or lead generation, and these are really important business practices. That you’re not really buying data in that case, it’s not a sale in a currency exchange, sort of, way, it’s that the data is the tool by which the audience is prepared, but you’re actually buying ads, not data. And so, I think there’s, to some degree, that could be a really big hole for people to drive the truck through to say, “Hey, it’s business as usual, everybody back, back, you know, nothing to see here, please disperse.”
Jay: Well, so the interesting thing is that the law does talk about whether there is…it’s not just if it’s sold, but it’s also a commercial purpose.
Jay: So, transferred to another person for a commercial purpose. So, the idea is, if you’re receiving it for a commercial purpose, it is tantamount to being a purchase because…
Christian: But that’s what it says today. What I’m saying is, what I’m really concerned about is I really think that’s the part where…that’s the line that… Right. Because California also is very focused on data brokers, which is funny because a lot of them have headquarters in California. But they really wanted people to not be able to have forward on the data for additional processing, to use a GDPR term, but, really, they were trying to prevent that. And part of the concern is, if they mess around with that definition of sale or transfer, I think it’s gonna get watered down to a point where it really doesn’t have any teeth. And it would take a massive breach, and Attorney Generals’ who wants to get reelected, that, sort of, you know, perfect storm for this to actually amount to anything.
Jay: Yeah, I think that’s right. I mean, to be clear, the Attorney General of California, regardless of who it is, always really wants to be reelected because they end up being senators, so…
Jay: Just ask Kamala Harris, like, it’s a nice little jump to D.C. But, from my perspective, if California’s law is watered down or if it’s changed, it will obviously have an operational effect on businesses, and have an effect on how this law is interpreted and applied. But I think having this out there at all is a big step for this country, you know? I think it would be a great thing if the ALI or, you know, the bar associations around the country came together and worked on a model uniform Data Protection Act that the states could just follow. It’ll be like, “Okay, this seems reasonable,” because you get buy in from a lot of people, that would be good. At least, it would encourage uniformity in the absence of a federal statute. And in general, the federal government, when there’s a model law, kind of, stays away, they, you know… But this is such a big issue in such a big industry, it’s, you know… At some point, the feds are gonna be like, “Oh, I can’t regulate this and control it.”
Christian: Well, look, I’m sure everyone at this point has seen, I don’t know, 15, 20 articles that say, “Is data the new currency?” It’s one of my favorite titles because it’s kinda hilarious because, technically, currency was and always is data. Like, it wasn’t like…you know, it didn’t suddenly become that, all currency is data to begin with it, even literally, it has numbers on it and ID numbers, like it is data. But that concept of data as currency, we like to point out to people, “Is anyone listening aware of any currency that’s not highly regulated?”
Christian: I mean, other than Bitcoin, which obviously everyone is rushing to regulate in some way, shape, or form. Currency and where money is, is where all the regulation goes. There has never been, nor will there ever be, an area where money, investment dollars, and enormous wealth is, that is not highly taxed and regulated, that is just the nature of ensuring that those goods and services… Look at our, you know, financial system today, look at the stock market when it was completely unregulated, and as more and more money poured into it, more and more regulation follows. So, I think, to look at data and say, “Well, I buy into that data as a currency,” and then I point out that currency is actually money, it’s a monetary exchange system, so that means data is money, which a lot of people have said. Obviously, the rise in the term Big Data on Google Trends is hilarious, it just spikes and just keeps going strong, we all think there’s a lot of money to be made in data. So, if it’s a currency, I just assure everyone the regulation is not going to slow down, it’s gonna keep speeding up. And yes, it starts with, just like regular currency did, the initial laws around currency are around theft, or if it was stolen, or if it was counterfeited, or it was… All these much more deep legal questions will come later, but right now, we’re just trying to figure out the first basic laws around how to handle a new type of currency, which is data.
Jay: Well, think about it this way, all of the original blue sky laws, which were the first securities laws in this country, were enacted by the states. And they were called blue sky laws because the notion was this has no basis but the clear blue sky.
Jay: It was a fraud prevention measure.
Jay: And it was intended to protect the public, well, some very small members of the…I mean, there was limited number of the public, but still, to protect them from fraud and to give them control over the security and safety of the transactions. And that’s exactly where we are now, that’s exactly what’s happening now.
Christian: And so, I think, as we look at this, you also… Just to mention, was it last week that the FTC opened up a comment period on just privacy laws in general, what just happened?
Jay: So, the FTC is doing, sort of, an open invitation for conversations over the next couple months about data issues, consumer rights, and it’s really just a… It’s a listening campaign for them to, sort of, get an idea, engage where people are. It’s not like a proposed rulemaking notice and comment period, this is really just, “Hey, let’s have a conversation.” But the reaction has been just really intense.
Jay: They’ve gotten these, like, huge long briefs, so like, “Cal CPA is bad for America.” And the FTC is like, “I didn’t ask for this, I don’t want this, this isn’t responsive to my question. Thank you very much, sir, this is a Wendy’s drive-through.” So, the whole thing is very interesting because people are really worked up, and I understand why, but you have to know your audience.
Christian: It’s classic, “No, but what do you?”
Christian: “Oh, dogging a beer.” Yeah. I think anytime the government is just like, “Hey, you know, we’d love to have a dialogue,” and there’s this much pent-up concern on both sides of what does it mean, and how do we take some of the European historical view of privacy as a right at the U.S. concept of free enterprise, free market, and data as currency, how will we bring these things together in, sort of, a joyous united front? And you’re asking for trouble, you’re asking for a pretty strong flight.
Jay: I mean, it’s like a live version of reading the comments to a YouTube video.
Christian: That’s right.
Jay: Just don’t do it.
Christian: Right. “Mystery Science Theater 3000” right there. So, I think, you know, the fascinating thing about the California law is it’s gonna be, you know, sort of this micro theater of a grander stage. And you’re right, so we’re getting the basic version today that we’ll be able to unpack over the next several months, get our arms around it, see what happened, what changed. I’m sure the changes as they’re released will get a lot of back and forth discussion, perhaps in the media, perhaps in the press. And I don’t say this with any, you know, dark hope in my heart, I literally hope we don’t have any more major data breaches, but they do tend to pop up on the average of one a day. So, it’s likely that there will always be fuel to throw on this fire to have the dialogue keep going. And, I guess, you know, there’s probably another financier that could, you know, throw in another ballot initiative on in a couple years if this doesn’t go the way they want it to.
Christian: Right. That’s kind of the fascinating thing about that California ballot initiative process. Does any other state have that by the way?
Jay: There are ballot initiatives in other states but not with the sort of ability for… Yeah. I didn’t get a [inaudible 00:16:59]…
Christian: Yeah, yeah. California.
Jay: California really does.
Christian: So, excellent. So, we’re gonna continue to monitor it. I think, you know, we’ll certainly talk about it as it comes to market over the next months, but this will be a fascinating discussion going forward. And if you don’t follow the IAPP or Angelique Carson, they always have really great thought on this. You should definitely check them out on Twitter and follow their account as well. That’s it for this week of “Are You Data Smart?” We’ll see you next week.
Jay: Thanks again.