Looking At California's Meshing Privacy Bill: A Privacy Bomb Is Close To Live On Dropped On The California Economic Scheme Too The Global Internet

This article was written a twenty-four hours earlier the neb passed the Cali legislature but has some insight that may live actionable.
From the Technology & Marketing Law blog, June 27:

By tomorrow, the California legislature probable volition exceed a sweeping, lengthy, overly-complicated, in addition to poorly-constructed privacy constabulary that volition guide hold ripple effects throughout the world. While non quite every bit comprehensive every bit the GDPR, it copies some aspects of the GDPR in addition to volition squarely acquit on every Internet service inward California (some of whom may live non currently live complying GDPR due to their US-only operations). The GDPR took 4 years to develop; inward contrast, the California legislature volition pass a grand full of seven days working on this major bill. It’s such a brusk turnaround that most stakeholders won’t guide hold a opportunity to participate inward the legislative proceedings. So the Internet is probable to alter radically tomorrow, in addition to most people guide hold no clue what’s coming or whatever vocalisation inward the process.

As bad every bit this sounds, the legislature’s passage of the neb is probable the GOOD resultant inward this scenario. What could live worse?

The legislative rush-job was prompted past times a proposed initiative, the California Consumer Privacy Act, which got certified for the ballot on Monday. The inaugural was sponsored by San Francisco existent estate developer Alastair Mactaggart, who has no expertise inward privacy constabulary but plenty coin to fund his pet topics. He spent $3M getting the inaugural qualified for the ballot in addition to funding a back upward campaign. The inaugural procedure inward California has several known defects, including (1) the text is locked down, thence there’s no agency to amend the proposed text based on comments from other stakeholders (which the legislative procedure allows), in addition to (2) extreme difficulty amending or repealing the constabulary ane time approved past times voters–effectively, it becomes frozen constabulary that’s permanently out of the legislature’s purview. So if the inaugural passes, the initiative’s worse linguistic communication volition perish immutable–we’ll live stuck amongst its many defects potentially forever. By getting the inaugural qualified, Mactaggart has leverage over the legislature. He tin demand that the legislature exceed a constabulary similar the inaugural earlier the deadline to withdraw the inaugural from the ballot (in which illustration he’ll withdraw), or the voters volition potentially lock inward the inaugural linguistic communication forever. The deadline to withdraw the inaugural is tomorrow, thence that’s what prompting the legislative burn downwardly drill.

Given dulled world sentiments towards the Internet giants, the wishing of Californians for to a greater extent than privacy protection (especially from the government), in addition to the initiative’s overwhelming complexity, defeating the inaugural at the ballot box is no slow task. Opponents are estimating they volition build a $100M warchest to larn by the initiative, in addition to fifty-fifty then, its defeat is non guaranteed. With the nuclear alternative of frozen text every bit an unbearable downside risk, the Internet giants volition cave in addition to back upward a legislative deal, which they tin effort to amend later, rather than adventure at the ballot box.

I trust you lot noticed how Mactaggart’s play a joke on is infinitely repeatable past times other millionaires. It commonly costs most $1M to get together plenty signatures to qualify an inaugural for the ballot. Every wealthy mortal amongst a pet theme tin pass that million, larn the certification for the ballot, in addition to thence approach the legislature amongst the same deal: exceed my constabulary or we’ll position the number to voters in addition to bypass the legislature altogether (and potentially handcuff legislative powerfulness on this theme forevermore). This is ane of the worst possible ways to laid a legislative agenda. Among other major problems facing our country, nosotros demand to eliminate California’s inaugural procedure to closed downwardly this unwelcome workaround to our democratic institutions.

“Summary” of the Bill
It’s non possible for me to write my ain summary of the neb inward the fourth dimension I guide hold to write this weblog post. First, the bill text keeps changing. Second, the neb is 10,000 words of dense legalese roofing a broad array of dissimilar policy ideas–including brand-new rights for consumers to access their data, erase their data, in addition to opt-out of information sales (and giving minors opt-in rights), plus making diverse changes to the information breach notification law. This is an omnibus law, making it impossible to summarize inward soundbites. Instead, hither is the Senate Judiciary Committee report’s 3,000 give-and-take “summary”:

___
This neb would constitute the California Consumer Privacy Act of 2018 (the Act) to perish operative on Jan 1, 2020, contingent on the privacy inaugural beingness withdrawn from the ballot pursuant to Section 9604 of the Elections Code.

This neb would render that a consumer shall guide hold the correct to asking that a line of piece of work organization that collects a consumer’s personal information expose to that consumer the categories in addition to specific pieces of personal information the line of piece of work organization has collected. The obligation to render such information is only triggered upon receipt of a verifiable consumer asking in addition to is express to no to a greater extent than than twice per year. Such line of piece of work organization would live required to inform consumers every bit to the categories of personal information to live collected in addition to the purposes for which the categories of personal information shall live used. Influenza A virus subtype H5N1 line of piece of work organization shall non collect additional categories of personal information or work personal information collected for additional purposes without providing the consumer amongst notice consistent amongst this section.

This neb would render that a consumer shall guide hold the correct to asking that a line of piece of work organization delete whatever personal information most the consumer which the line of piece of work organization has collected from the consumer. Upon such a request, the line of piece of work organization would live required to delete the information from its records in addition to straightaway whatever service providers to create the same. This correct to delete would demand to live disclosed past times businesses collecting personal information

This neb would render that businesses are non required to delete information upon asking where it is necessary for the line of piece of work organization to maintain the consumer’s personal information for diverse purposes, including detecting safety incidents; complying amongst a legal obligation; enabling exclusively internal uses that are reasonably aligned amongst the expectations of the consumer based on the consumer’s human relationship amongst the business; or otherwise using the consumer’s personal information, internally, inward a lawful agency that is compatible amongst the context inward which the consumer provided the information...

... Some Comments
Legions of academics could pass their entire careers grokking these provisions in addition to debating the pros in addition to cons of each. The California legislature volition pass less than 168 hours doing that… in addition to if I promise to larn out this postal service inward whatever time-effective way, I guide hold mere minutes to highlight simply a few issues:

Who’s Covered past times the Law? Virtually Every Business. The inaugural has largely been styled every bit anti-data brokerage, but the neb truly applies to whatever “business that collects a consumer’s personal information.” “Business,” “collects,” in addition to “personal information” are all defined terms, but expansively. For example, every bit I’ll explicate inward a moment, the Definition of “personal information” covers virtually all information inward a company’s possession. So let’s assume for a instant that, on its face, this constabulary applies to every business–online in addition to off–that has consumers. We’re non talking only most Internet giants similar Google in addition to Facebook. We’re talking every retailer large in addition to small: every gas station, grocery store, restaurant, bakery, local mom-and-pop shop, etc. We’re talking every professional person service provider: every attorney, accountant, therapist, doctor, etc. We’re fifty-fifty talking most most manufacturers–certainly those that sell direct-to-consumers, but perhaps even  those only transacting business-to-business.

The neb has extra obligations for businesses that “sell” consumer data, but ane time to a greater extent than the Definition is expansive (and the active dependent area of amendments) to include “disseminating” consumer information for “monetary or other valuable consideration.” The legislative written report references the Cambridge Analytica scenario every bit ane of the targets, but did Facebook “sell” the information to the Oxford researcher past times allowing his access to Facebook’s API? There was no coin exchanged, but every Internet fellowship that sets upward an API has a pretty clear quid-pro-quo of sharing the information to create goodness its consumer base. Does that tacit quid-pro-quo constitute “valuable consideration”? If so, every Internet line of piece of work organization amongst California ties in addition to an API volition live dependent area to the enhanced rules most information “sales,” fifty-fifty if no ane would always characterize the information transfers every bit a “sale.”

Acknowledging that it doesn’t intend to accomplish every California business, the neb sets upward the next thresholds for applicability: a line of piece of work organization must (1) guide hold $25M+ inward annual revenue, OR (2) derive 50%+ of its revenues from selling consumer data, OR (3) “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, lonely or inward combination, the personal information of 50,000 or to a greater extent than consumers, households, or devices.” So whatever line of piece of work organization amongst 50,000 annual consumers–an average of 137/day–is almost surely governed past times this law, in addition to that includes many mom-and-pop retailers in addition to other little businesses. If I were to prepare only ane edit to this bill, I’d alter this department to add together at to the lowest degree ane goose egg to the $25M in addition to 50k thresholds.

As an illustration of its broad reach, is my weblog covered past times the bill? I larn 50k+ visitors/year, my analytics parcel picks upward their IP addresses, in addition to I larn most $400/year from Google AdSense. Based on the bill’s expansive Definition of “commercial purposes” (which seemingly includes advertizing revenue), I powerfulness live covered. If the neb passes in addition to I’m covered, I would probable closed off Google ads to avoid complying amongst the law....

...California Has 24 Hours to Pass This Privacy Bill or Else