When the California Consumer Privacy Act (CCPA) became effective on 1 January 2020, California became the first U.S. state with a consumer privacy law. According to the State’s attorney general, CCPA “gives consumers more control over the personal information that businesses collect about them”.
On 3 November 2020, Californians then voted in favour of Proposition 24 – the ballot initiative enacting the California Privacy Rights Act (CPRA). Campaigners for the yes vote claimed the new law will give Californians “the strongest online privacy rights in the world”. These include protecting sensitive personal information, tripling fines against companies that violate children’s data, establishing an enforcement arm for consumers, and making it harder to weaken privacy laws in the future.
The CPRA amends the California Consumer Privacy Act (CCPA) by expanding consumer rights, introducing new GDPR-style governance measures, and establishing a new enforcement agency (among other things). In this way, CPRA does not replace or repeal CCPA, but rather augments it.
U.S. law firm Mayer Brown said: “Some of the amendments are merely technical or typographical, but many are substantive and significant, designed by the authors ‘to strengthen consumer privacy rights and prevent dilution by amendments’. The CPRA is also designed with an eye towards obtaining an ‘adequacy’ finding under the European Union’s General Data Protection Regulation (GDPR), such that compliance with the CPRA would be considered to provide an adequate level of data protection for data transfer purposes under the GDPR.”
That is a welcome prospect for anyone currently dealing with Transfer Impact Assessments, Standard Contractual Clauses and Binding Corporate Rules for US transfers since the invalidation of Privacy Shield.
The warm-up act
When it comes to technology, California – home to Silicon Valley – often leads where others follow. That was the tenor of coverage of CPRA in Security Magazine, for example. “Experts believe that this sweeping privacy law will set the bar for privacy rights for the rest of the nation and that federal laws will follow suit,” it reported. Before that happens, let us remember that CCPA (and CPRA) only applies to a limited part of the United States for now. The rest of the nation may eventually adopt it as a federal law in a few years.
Who does this new law (s) apply to and more importantly, who does it NOT apply to? There are two key definitions in the CCPA that are important to clarify: ‘business’ and ‘consumer’. Why? Because that is who these new privacy acts apply to, and this will help us determine who these acts DO NOT apply to.
Under the CCPA, a “business” can be a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organised or operated for the profit or financial benefit of its shareholders or other owners.” Thus, for example, a business under this definition generally would not include a not-for-profit (such as not-for-profit schools and healthcare institutions or governmental entities). If a business would be subject to personal jurisdiction in California, based on its activities within the state (including, for example, recruitment and advertising), it is likely that the CCPA would apply. The CCPA applies to any for-profit entity that does business in California (that satisfies a number of specific criteria). Although the statute lacks any definition of “doing business in California”, it is not a requirement that the business be a California entity or have its principal operations in the state, e.g. California students attending out-of-state for-profit schools.
Although many non-profits and governmental agencies are not obliged to comply with CCPA, they often rely on vendors subject to the CCPA in their daily operations. However, not all vendors will be considered a “business” as some will qualify as a “service provider” and do not need to comply with many of the CCPA provisions.
In summary, the CCPA and CPRA may not apply to not-for-profit entities such as certain schools, universities, government agencies and health institutions.
The CCPA defines “consumer” as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations . . ., however identified, including by any unique identifier”. A California resident is any individual who is (1) “in the state of California for other than a temporary or transitory purpose,” or (2) “domiciled in the state” of California and “outside of the state for a temporary or transitory purpose.”
Notably, the CCPA does not define “consumer” in terms of an individual’s relationship with a business. The act applies to every California resident, whether or not they are a customer of the covered business. Accordingly, employees of a business or a business’s vendors could be consumers. The broad definition of “consumer” also serves to extend the CCPA’s reach beyond state borders, as on its face it applies to California residents regardless of whether they are physically in the state.
Therefore in summary, the CCPA and CPRA may not apply to the personal data of, for example, students, patients and citizens.
CCPA/CPRA – the greatest show?
Will the CCPA/CPRA make good on campaigners’ claims to be the “strongest online privacy rights in the world”? Perhaps for consumers it will; it certainly has the potential to do so. However, what about all those individuals who are not necessarily consumers, who have information that is processed by institutions – for example students, patients, and citizens? For these stakeholders, the US approach to privacy addresses privacy requirements through a panoply of privacy legislation, e.g. the Health Insurance Portability and Accountability Act (HIPAA) HIPAA, and Family Education Rights and Privacy Act (FERPA) for schools. These acts are not harmonised with, or aligned to, the CPRA /CPPA and therefore it can be really difficult to figure out which laws offer the greatest protections and rights for stakeholders.
Additionally, while CCPA/CPRA is drafted to supplement federal and state law, it will not apply if it is pre-empted by, or in conflict with, federal law, the U.S. Constitution, or the California Constitution. To determine which laws or regulations will govern, an organisation must identify all the purposes for which it collects, processes, and retains consumer information.
For example, although there is a carve out in the legislation for protected health information collected by HIPAA-covered entities and business associates, this is not as broad as it appears. Covered entities and business associates that are otherwise subject to the CCPA must still evaluate how to handle personal information that is not protected health information. This is welcome news for healthcare providers, health plans, and their business associates, but these exceptions do not exclude these entities from the law; only the type of information described. Thus, a healthcare provider might still have CCPA obligations, albeit not with respect to protected health information of patients.
In summary, for the individual, it may prove difficult to determine which law or series of laws applies to their personal data. And for the business, it may be complex to determine the multiple laws that may apply for the same processing, where some data will be governed by one law, and other data governed by another.
Were the US to consider adopting a single harmonized law such as CCPA/CPRA as a federal law equally affecting all states, it would be prudent to consider ensuring that it applies to all institutions, all individuals, and all personal data, similar to what the EU GDPR does. It would indeed then in my view qualify as “the strongest online privacy rights in the world”.
Executive orders threatening privacy for national security
CCPA and CPRA are undoubtedly really positive steps for privacy rights in the U.S. and represent a giant step towards a possible Federal US harmonised privacy law. Thus we stand at the edge of an exciting time in the legislative landscape of privacy that is likely to see significant changes in the next few years.
However, as a privacy scholar (who is at last nearing the end of her PhD in the subject), advocate, and professional, I feel it is incumbent to highlight the elephant in the room – and that is how the U.S. compromises privacy in the name of national security.
I will cover the history and cultural reasons for the differences between the U.S. and the EU on this matter in a separate blog, but for the moment let me just note that the U.S. accepts an invasion of privacy (in the name of security and immigration) that differs from that considered acceptable in Europe.
I am not taking the position of whether I believe it is right or wrong, as there is no right and wrong in many matters – there is often grey. And this matter is grey. For any future Federal privacy legislation to be considered robust, respected, and trusted worldwide, executive orders such as those listed below, would also need reconsideration:
- Executive Order 12333
In 1981, President Reagan issued this executive order to extend U.S. intelligence agencies’ powers and responsibilities, and direct leaders of U.S. federal agencies to co-operate fully with CIA requests for information. This executive order, United States Intelligence Activities. Executive order 12333, permits collection, retention and dissemination of information obtained in the course of lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation and incidentally obtained information [my emphasis] that may indicate involvement in activities that may violate federal, state, local or foreign laws.
- Executive Order 13470
In 2008, President Bush issued Executive Order 13470 amending Executive Order 12333 to strengthen the role (and access) of the Director of National Intelligence (DNI).
- Executive Order 13768
In 2017, President Trump signed a new Executive Order on Enhancing Public Safety in the Interior of the U.S. Among other elements, the order directs U.S. government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information”, but only if doing so is “consistent with applicable law”. The executive order also encouraged data sharing between federal agencies using “all lawful means to ensure the faithful execution of the immigration laws of the United States against all removable aliens”.
Privacy theatre: the final act
I understand the historical and cultural climate in the US that mandates the need for such privacy-invasive legislation. However, as long as these orders remain acceptable, they remind me of the restrictions taking place at airport security gates, which has been called ‘security theatre’ by Bruce Schnier: if the security controls limiting 100mls of liquid, tweezers, baby food etc. are imposed because these items equate to a potential weapon, then ten people need only each the 100mls of liquid through the airport separately and combine them on the other side of the gates. So, the control is ineffective and very simple to work around. If someone carrying over 100ml containers of liquid really was a threat to safety, then why not arrest them, just as if they had a gun in their cabin bag? Or stop them from boarding a plane? Interrogate and investigate them?
However, these controls are not truly risk control-based; they are simply a ‘theatrical act’ created to give the public comfort that they are safe. Security theatre gives us ‘a sense of security’ by forcing us all to take measures that are ‘dressed up’ in security rhetoric. And they work – they make us feel safer and therefore we travel more readily.
In the same way, if we have widespread invasion of privacy behind the scenes of robust consumer privacy there is a risk that legislation about this area could become ‘privacy theatre’.