California Privacy Bill: Commentary and Summary

Consumer privacy has been a hot topic for the past few months. Late last year, the Federal Trade Commission issued their report endorsing a “Do Not Track” option. The Commerce Department weighed in on privacy, leaning towards industry self-regulation. With the buzz privacy was receiving in the media, several browsers soon released updated privacy options. However, without any action by tracking companies to take these privacy settings and apply them in determining whether an individual’s behaviors be tracked, these browser updates are essentially futile.

In April, the Commercial Privacy Bill of Rights Act of 2011 by Kerry and McCain came out recommending:

  • Clear data collection notice, including the purpose of collection and the ability to opt-out.
  • Individuals to be able to access their information, and request cessation of its use and distribution.
  • An opt-out for all data, with an opt-in for sensitive personally identifiable information.
  • Companies to minimize only the data they need to provide transaction or services.
  • Companies bind third parties they share data with as to what they can do with the data.
  • No private right of action.
  • Voluntary “safe harbor” program that would allow companies to exempt themselves from the requirements if they had procedures in place that were just as good.

Now, the California Senate Judiciary has cleared proposed Privacy Bill SB 761. The Bill calls for the Attorney General to adopt new regulations for consumer opt-out of tracking.

Commentary

While the intention to protect consumer privacy is to be commended, there are some concerns with the proposed Bill.

For a summary of the Bill, please read below under The Bill: In Summary.

State laws in an online world

Global businesses already face a minefield when it comes to international laws. For example, European laws regarding privacy are stricter, with Google Analytics in Germany prohibited.

The reality is, online business does not have a simple physical presence, where state boundaries are easily applied. The draft Bill applies to entities doing business in California with a consumer in California. This appears general enough that it is not limited to simply companies located in California. Has a situation therefore been created where companies across the United States (and arguably, the world) must comply with these proposed regulations for California users?

Recognizing California Users’ Opt-In

How are companies to detect what state a user is located in, to ensure compliance? Understanding that a user is a California consumer, and therefore must be provided with recognized opt-out, would require capture of (and respond to, in real time) IP or physical address – the very data collection that users could be trying to opt out of.

First Party vs. Third Party Data

The Bill does not clearly distinguish between third party tracking done by companies such as ad networks, and first party web analytics for the purposes of site optimization and business analysis.

In one way, the Bill can be read as prohibiting web analytics data capture: the type of data covered includes “Internet Web Sites and content from Internet Web Sites accessed”, including time and date of access – the foundation of first party web data capture.

On the flipside, there are exceptions that can be interpreted as permitting web analytics.

For example, an exception to regulation is granted if analysis of that consumer data is not the company’s primary business. Does this allow for web analytics? Company X sells mobile phones, but analyzes their site visitors. That analysis is not their business, phones are. Is web analysis permitted?

There are also exceptions made for “commonly accepted business practices.” Among them is using data to improve products, services or operations. Arguably, first party web analysis for the purposes of site optimization falls into this. Is it therefore permitted?

An exception is also granted for businesses not collecting or storing sensitive information (defined as medical, health, race or ethnicity, religious, sexual, biometric or social security information.) Does this therefore mean that first party web analytics is permitted for companies not storing any of this type of data? What if a company collects this data but it is completely separate from their online data?

One hopes a revised Bill, or the regulations themselves, would speak more clearly to first versus third party data capture. The current draft would likely lead to litigation to resolve the issue of first party web and business analytics.

Add your commentary

I’d love to hear your thoughts – good, bad or ugly. Please leave a comment!

The Bill: In Summary

California already has in place existing law requiring notification to Californian users of a company’s privacy policy. However, the proposed SB 761 requires the Attorney General to adopt new regulations to allow for consumer opt-out of tracking.

Who would these regulations apply to?

  • Anyone person or entity doing business in California that uses online data collected from a consumer in the state.

What would these regulations require?

  • A company to provide California consumers with a method to opt out of data collection, storage and use.
  • Require disclosure information on data practices and to whom this data may be disclosed to.
  • Prohibit data collection or use if a consumer has opted out.

In addition, the Attorney-General may also require that covered entities provide:

  • A way for consumers to access their information.
  • Data retention and security policies in an easy to understand way.

What type of data is covered?

  • Web sites and what content is accessed
  • Time and date of access
  • Geolocation
  • Method of access (for example, device or browser being used)
  • IP address
  • Personally Identifiable Information:
    • Name
    • Address
    • Email address or username
    • Phone or fax number
    • Government ID number (e.g. passport number, driver’s license)
    • Financial account numbers and the security codes used to grant access to these accounts
    • Sensitive information:
      • Information related to medical history and health
      • Race or ethnicity
      • Religious beliefs and affiliation
      • Sexual orientation or behavior
      • Financial information such as income and assets.
      • Biometric information such as fingerprints
      • Social security information.
      • Does not include:
        • Business information such as business email address or business phone number.

Exemptions from regulation:

  • Regulations should not interfere with a commercial relationship where the consumer has expressly opted in for those purposes. However, the Bill specifically states that if that business is online advertising and marketing, the regulations may affect that relationship.
  • Federal, State or Local government
  • Smaller businesses collecting information from fewer than 15,000 individuals total, or 10,000 in a 12 month period.
  • Business not collecting or storing sensitive information.
  • Companies not using the information to study, monitor or analyze behavior of individuals as the primary business.
  • May be an exemption for commonly accepted business practices:
    • Customer service and support.
    • Using data to improve products, services or operations
    • Basic business functions such as accounting, inventory, QA.
    • Defending rights or property.
    • Complying with law, such as court order, subpoena (etc.)

Consequences of non-compliance:

  • Individuals are able to take civil action for damages between $100 and $1000 per breach, plus punitive damages the court may allow.

To read the full bill, please visit: http://info.sen.ca.gov/cgi-bin/postquery?bill_number=sb_761&sess=CUR&house=B&site=sen

To contribute your thoughts, please comment!

4 thoughts on “California Privacy Bill: Commentary and Summary

  1. I think the bill is incredibly misguided. You mention many of the reasons- difficulty of enforcing, no difference between 1st/3rd parties, and the one that gets me the most: “time accessed” and user agent on the same list as social security information? It’s lumping the good with the bad. I’m sure voters will love it, it sounds like it’s protecting against horrible PII practices.
    I think our industry has a hard road ahead of it, educating users about why they don’t need to fear all tracking.

  2. Fantastic summary, both of the bill and the issues around it. The “state-level legislation in a global world” is interesting, but I could see CA drawing a parallel to the automotive standards they put into place that had national/global repercussions (another example would be the undue power that the Texas Board of Education has over what winds up in textbooks nationwide). I don’t *like* that parallel, but I could see it being used. Essentially, any legislation that has real teeth and consequences can drive businesses to conform to the strictest standard. Unfortunately, this bill, like other federal initiatives, has clarity roughly equivalent to Sarbox, so there’s a lot of interpretation that will have to get worked out.

    One silver lining that I’ve been mulling over is how much more activity is occurring in an app-based world (both social and mobile apps). When I download any app on my Droid, I get prompted to accept that it’s going to have access to certain features and data. When I click into various Facebook apps, they pop up with an authorization screen as well. Those are becoming almost like EULAs — I see it, I mentally register that I’m agreeing to something, and I move on. If I had a magic wand that I could wave, I’d put a similar gate on ALL web sites, and this issue would largely go away. Consumers would realize that there *is* a price for the “free” content they’re consuming, and 99% of them would happily pay that price when it was required.

    Alas! No magic wand…

  3. Pingback: Excel Dropdowns Done Right: Data Validation and Named Ranges | Gilligan on Data by Tim Wilson

  4. Pingback: Measure Mob | Privacy, Laws, Data Breaches ~ Oh My!

Leave a Reply