The Boldest American Consumer Privacy Statute In A Generation Is In Flux
The most important part of a privacy law are the definitions. Get them wrong and the rest of the statute doesn’t mean much. Over the last month, a quiet drama with major stakes (and a hopeful ending) unfolded around the law’s core definition: “personal information.” It’s a drama worth understanding because it will play out again and again as new privacy laws make their way through local, state, and national legislatures.
The California Consumer Privacy Act (CCPA) went into effect January 1st, giving consumers far more control over the data that companies collect about them. But while CCPA’s language hasn’t changed since the fall, the regulations implementing CCPA are still in flux.
Our story begins on February 7th, when CA’s Attorney General added to the draft regulations Section 999.302, “Guidance Regarding the Interpretation of CCPA Definitions.” The new guidance would have crippled the CCPA. For example, suppose a free adult video site, IPporn, logs every video watched along with the associated IP address. It stores no other session or user information. Under the most obvious reading of Section 999.302, the log would not constitute personal information. IPporn could, for example, tweet out every IP+video record publicly. Any other website could easily learn a user’s kinks by simply searching Twitter. Clearly, this is not the intent of CCPA.
What is “personal information”?
CCPA governs the use of “personal information.” Let’s look at the definition.
1798.140(o)(1): “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Under this definition, personal information definitely includes information that “could reasonably be linked” with a particular household. No question about it.
The earliest draft regulations didn’t elaborate on the meaning of “personal information.” But on February 7th, the Attorney General added new “Guidance Regarding the Interpretation of CCPA Definitions.”
999.302(a) Whether information is “personal information,” as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked [sic], directly or indirectly, with a particular consumer or household.” For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”
Problems
Section 999.302’s interpretation is so frustratingly wrong. Its two sentences have three serious problems.
First, 999.302 distinguishes between what a specific business can do with data and what can be done with data more generally. The original definition demands protection of information if it can be reasonably linked with a particular household by anybody. In contrast, the draft regulation only requires protection of information if it can be reasonably linked by the business. It suggests that to free personal information from CCPA protection, a business doesn’t have to make the information less identifiable, but to handicap its own identification capabilities.
This is something industry critics of CCPA (who want to weaken the law) have been begging for. Their argument is that you can’t expect every mom-and-pop data company that peddles in the personal information of 50,000 people annually to be able to figure out what leet MIT hackers can do with data. That argument makes some sense, and it’s clear that a lot is riding on the meaning of “reasonable” in CCPA’s definition of personal information.
However, this distinction yields a nonsensical policy. For example, CCPA makes it illegal for a business to publicly tweet its users’ personal information. But if the business can’t reasonably link it to a household, then it’s not personal information. And if it’s not personal information, CCPA doesn’t apply. Tweet away. Of course, what should matter from a policy perspective is what the recipients of that information—anybody on the internet—can do with it.
Maybe I’m reading it wrong. That can’t be what they mean, right? Wrong!
Second, it is, in fact, wrong, because they illustrate their point with the worst possible example: IP addresses! A typical household’s IP address (say, on a family desktop) stays the same for months or years at time. During that period, every webpage they visit sees the IP. If anything “could reasonably be linked to a specific household,” it’s an IP address. CCPA mentions IP address explicitly twice! But the draft regulation would make it possible for IP addresses to not be personal information. If the business doesn’t keep around other information needed to link the IP address to the household (it’s hard for me to write that phrase it’s so vacuous), then the data is free from CCPA.
Third, under 999.302 personal information no longer includes all information that could reasonably be linked with a particular household. It only includes information that is “maintained in a manner that could be reasonably linked” with a particular household. Compare with the statute’s language. 999.302 focuses the definition of personal data on the form of the data: how it’s maintained. It sidelines the power of the data: what can be done with it. For a data privacy regulation, this is backwards: the power of data, not its form, is what matters.
I’ve made this point before in a piece on ambiguities in the law’s definition of “probabilistic identifiers” and calling for regulatory clarification. But Section 999.302 is so much worse, enshrining the worst interpretation of the ambiguous definition of probabilistic identifier as the main definition for personal information.
Let’s go back to our adult video site IPporn. If the IP+video log doesn’t fall under the new exception established in the draft regulation, I don’t know what does. According to the regulation, it’s not personal information and IPporn can do whatever they want with it. Like tweet, making people’s porn habits all but public. Like I said, this is astonishing.
Section 999.302 has no place in the final regulations. By distinguishing what a specific business can do with data and what can be done with data more generally, the draft regulation would gut the boldest American privacy statute in a generation.
The Public Comments
The Attorney General accepts public comments after every revision of the regulations. About 100 were submitted, only a handful mentioning Section 999.302.
Most comments applauded the new language. Not because they didn’t appreciate its significance, but because they appreciate its significance. One comment praised excluding IP addresses from the definition of personal information as “an excellent policy goal.” Four comments asked the Attorney General to go even further by removing from CCPA regulation any information that a business chooses not to link to an individual consumer, no matter how easy it is to do so.
Luckily, I was not the only commenter to point out the absurdity of Section 999.302. A joint comment from the ACLU, EFF, and other consumer rights non-profits presented a strong argument against the language.
But undoubtedly the most important comment, however, came from Senator Hannah-Beth Jackson, Chair of the Senate Judiciary Committee: “One specific area that I find sacrosanct is what is considered ‘personal information’ for purposes of the CCPA . . . . I believe that Section 999.302 of your modified proposed regulations weakens the very definition we have been fervently protecting.” When one of CCPA’s key senators expresses “deep concern” over your regulation, you listen.
On March 11th, the Attorney General published the third draft of the CCPA regulations, striking Section 999.302 altogether and opening a round of public comments.
The regulations are still in flux. You can be sure that the industry groups that applauded Section 999.302 will pressure the Attorney General to re-introduce similar language. I encourage you to submit a comment thanking the Attorney General for removing Section 999.302, and sharing any other feedback you have on the regulations. You can submit comments by emailing PrivacyRegulations@doj.ca.gov through March 27, 2020.