Challenges and opportunities in California’s new privacy law

Legislative sausage-making is always messy, but the process whereby California passed its new privacy law should make the U.S. ashamed before the world. A rich California developer funded a publicity campaign on a ballot initiative for his pet policy peeve and blackmailed the entire California government into passing it into law, essentially unexamined, in a matter of days. The only saving grace is that it has a two-year implementation delay, which will give the legislature a chance to fix it in leisure. Technical corrections are badly needed, and the legislature must now turn its attention to many critical fixes.

In contrast, the European Union, which has struggled with its own democratic deficit, put in place its new General Data Protection Regulation with a model of democratic openness and deliberation that involved years of consideration and debate. Whatever people think of the final product, and I think it was largely a missed opportunity to get privacy policy right, no one can complain that it short-circuited essential procedural protections. 

Many are celebrating the outcome, but they may well regret the process used, as activists with other interests discover the joys of legislative extortion.  

Despite process issues, the new California law is landmark privacy legislation. 

As with data breach notification (where California’s 2005 data breach notification law has spurred copycat laws in all 50 states) and with student privacy (where California’s 2014 law has been imitated in state legislatures around the country), the California privacy law will propagate itself in other states as early as next year. It has prompted even this administration and the U.S. Chamber of Commerce to contemplate national privacy legislation.

This provides an unusual opportunity to get privacy policy right. Regrettably, the new California law doubles down on the idea of individual control by establishing a blizzard of new rights to enable people to decide, on an individual basis, where, when and how organizations can collect and use their personal information.

This idea of individual control is so ingrained in the thinking of privacy advocates and their legislative allies that it will certainly be part of the coming privacy debate, despite the fact that it been devastatingly criticized by privacy scholars, most recently by Woody Hartzog, as failing to provide genuine protection and dissipating social control by spreading it to the disaggregated choices of isolated individuals. But there’s still a chance for a different approach.

New federal legislation should introduce elements of a risk-based consumer protection approach to privacy

This alternative and better approach should build on the experience and framework established by the Federal Trade Commission. The principle that privacy is not a right to figure out for oneself what uses of information one is willing to allow in return for what considerations but is instead a right not to be harmed by the collection and use of information might find a place in the developing new privacy framework. It could serve as the U.S. alternative to the European approach which is permanently wedded to the idea of privacy as an individual right of information control.

Some elements of the California bill will need to be clarified, especially concerning student information and public records.

Most education technology companies providing services to California schools are under contract with a school, are extremely restricted in what they may do with student information, and subject to enforcement by both state and federal officials.  It is unclear whether they will need to comply with certain measures in the new law such as the right to erasure. Will the companies need to honor requests from 17-year-olds to delete a bad grade or even delete the entire student record without the school’s knowledge? It would be much more sensible to have companies follow the privacy-protective procedures set forth by existing laws like California’s own student privacy law that require a company to delete a student’s covered information if the school requests the deletion. The technical amendments fix should make this clear.

Are public records included in the new law? The legislation clearly and properly intended to exempt them, but it also appears unintentionally to cover them if they are used for a purpose that is “not compatible with” the purpose for which the data has been collected. Does this phrase mean the use of public records by journalists would be subject to all the rights in the bill, including consent by the individual data subject and the right of erasure?

Such a policy is not contained in European law. While GDPR has a compatibility test for the re-use of personal information, it allows public record re-use without the imposition of any compatibility condition in accordance with the nondiscrimination conditions in the 2003 EU public records directive.

There’s also a constitutional question. If the law really does contain this compatibility restriction on the re-use of public records, it would have to pass the First Amendment test of being narrowly tailored to meet a compelling government interest. What’s the interest here?

The California legislature clearly intended to exclude public records from the definition of personal information but inadvertently undermined the exception with poor draftsmanship that appears to impose a compatibility test, thereby unintentionally creating a restriction on access to public records that has First Amendment problems and that exists nowhere else in the world, even under Europe’s GDPR. It should clarify this issue in its technical amendments bill.

Despite its anti-democratic origins and its needed clarifications, the California privacy law creates an extraordinary opportunity to get national privacy policy right in the United States and begin to spread our own vision of effective data protection to the world.