Last time, we talked about the passage of the California Privacy Rights Act (CPRA), a ballot referendum that expands and enhances the scope and consequences of CCPA. Today, we’ll look a little deeper into why CPRA is such a big deal, and also why it may simultaneously be the cause of its own undoing.
When a “Sale” isn’t a “Sale”
You may recall that CCPA instituted a new, mandatory button for websites: “Do Not Sell My Data.” This seemingly-innocuous requirement actually has deep roots in the economics of the Internet, in that a huge portion of the financial benefit associated with data comes from selling it for advertising purposes. In fact, CCPA’s origins lie in concerns that the uncontrolled collection and sale of personal information for advertisers was undermining personal rights — a theory behind the GDPR, as well.
The premise is simply that, when a data subject doesn’t want their personal information sold to a third party, they should be able to halt that sale. Of course, this is substantially easier said than done, given that it isn’t typically a one-off sale of a single person’s details to third parties. Data is almost always sold out of the bulk bin, given that information about one particular data subject is unlikely to be valuable enough on its own to warrant a sale. Consequently, identifying that one data subject among the vast volume of data collected, processed, and sold can be extremely complicated. Ask anyone who has been told to delete individual data from a backup tape and you’ll find out what I mean.
There’s a secondary problem here, one that makes complying with CCPA and CPRA much more complicated. “Sales” under CCPA are defined to include far more than the standard “X dataset for Y dollars” — instead, “selling” means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating” data. That’s an enormous amount of activity that we wouldn’t normally think of as selling, but there was an important caveat: any of those acts had to be for “valuable consideration.” Here’s where a little legal background helps — “consideration,” in lawyer-speak, means money or its equivalent. By pegging “sales” under CCPA to “valuable consideration,” the California Assembly was giving a nod to lawyers and judges that the law was effectively following the ancient rule that there’s no contract without consideration, even if that consideration was traded in a data-exchange or used as payment for access to other datasets.
CPRA undoes this guidance by removing the obligation that data be exchanged for value — now, consumers can halt the sharing of personal data, which means that, in effect, when data passes from one entity to another even without any form of payment, it is subject to CPRA and data transfer halt requests. Why does that matter? For one, it is another major restriction on commercial activity. But more pointedly, CCPA and CPRA (as we may have mentioned) are not models of clarity when it comes to understanding definitions, and it’s not clear whether the definition of “business” under either law means “every entity and affiliate in your corporate family” or just “this one particular business.” If it’s the latter, then CPRA could permit consumers to halt the sharing of data even within a business group. This means that your company’s affiliates (and even conceivably processors you’ve retained) would not be able to receive data, even though they haven’t paid for it and the personal data hasn’t “left the company,” so to speak.
Is that what’s going to happen? No one knows. Much of the interpretation of CCPA and CPRA will be left to the Attorney General (for now), the new California Privacy Protection Agency (later) and, inevitably, the courts. This means that we’ll have to guess what the law means until we get definitive rulings, just as most people have done in the time since CCPA went into effect. The problem there, of course, is that regulatory indeterminacy and vague legal provisions don’t exactly instill confidence in business owners that they’ve adhered to the law, even when they want to. The wait-and-see game is a costly one, and there’s no reason to think it is going to end any time soon.
Say Uncle (Sam)
All of this leads to the fundamental truth that there are plenty of people who are confused, unhappy, and motivated to act about CPRA. A well-funded campaign against the ballot initiative wasn’t enough to stop California voters from expressing a desire for stronger privacy protections. But businesses outside of the Golden State are, unsurprisingly, concerned that CPRA will impose serious costs and liability risks to what were otherwise fairly routine e-commerce transactions. Californians, too, worry that there will be an explosion of litigation (particularly given that CPRA authorizes private causes of action by individual consumers). If there’s one thing you learn about litigation in California it’s that when you give private citizens the right to sue to enforce a statute, they’re going to — which is why there are so many lawsuits filed under the False Advertising Law and Unfair Competition Law each year.
These fears, along with the notion that California is effectively setting the privacy law standards for the United States (which, frankly, it is) have pushed the likelihood of a federal intervention from the possible to the probable. Although we don’t know that 2021 will definitely be the year that a federal privacy law passes, but if it is, we think that CCPA/CPRA will have a great deal to do with it.
Why? Preemption. The US Constitution grants Congress the power, in certain circumstances, to make laws that nullify any state law that come into conflict. This power (preemption) comes in a variety of forms — sometimes Congress set the minimum standard and lets states go above it, sometimes Congress sets limits and allows states to go below it, and sometimes Congress “occupies the field,” voiding any state law on a subject, even if the state law supported the federal policy. This latter category is important to regulatory fields where there needs to be one national standard (think nuclear safety). Preemption is effectively Congress concluding that it knows what’s best for the country — and, given how deferential the Supreme Court is to preemption claims, there’s virtually nothing the states can do about it.
For some in Congress, the incentives to preempt California’s laws are clear: get rid of pesky requirements and costly regulatory frameworks, unify the national approach to privacy, and avoid a multiplicity of rules across the states (which is what we have now). But there are also reasons to support leaving CPRA alone — if the federal aim is to make privacy rights as robust as possible, the method will be to set the lower limit of what’s required and leave states to decide the rest. These two viewpoints pretty fairly encapsulate the two schools of thought in Congress right now, which means that, if there is a law this year, we should expect it to be some combination of the two. That, or a complete refusal to reach a compromise and nothing happens at all.
The point is that if there is a compromise and Congress elects to do some form of preemption, it isn’t going to be a coincidence that it happened after CPRA passed. As such, it’s already important state privacy law in the United States, even though it won’t even go into effect for more than two years.