SIIA Privacy Update:
The CCPA, the Public Domain,
and the First Amendment
On January 1, 2020, the California Consumer Privacy Act (CCPA) – the most comprehensive privacy law in the United States – went into effect. The CCPA enhances consumer privacy by giving individuals more control over their data, including rights to deletion and to opt-out of the sale of their personal information. Notably, the CCPA’s definition of “personal information” is broad, capturing even personal information in the public domain. That is, information that is available to the public at large and not protected by intellectual property laws such as copyright, trademark, or patent laws.
As an association of publishers and platforms, SIIA has a strategic interest in ensuring that access to the public domain remains free, open, and untrammeled by unnecessary government regulation. Our members rely on publicly available information for a range of socially important uses, including (1) B2B, scholarly, educational, and specialized publications, (2) maintaining databases for public and institutional customers; and (3) operating search engines. A privacy law subjecting information in the public domain to opt-out and deletion rights unnecessarily and unconstitutionally threatens these models.
To ensure the CCPA did not destroy the public domain, SIIA’s policy team engaged with California policymakers and other stakeholders to obtain key exclusions. We had two significant wins. First, as a result of SIIA’s advocacy, the California legislature amended the CCPA to exclude public records from its regulatory scope. Second, through comments to the California Attorney General, SIIA was able to influence proposed modifications to the regulations governing the implementation of CCPA to protect our members’ interests.
Starting with the Basics: What is the Public Domain?
The public domain consists both of material that’s released in public records that are created and published by public agencies (e.g., tax liens, real estate records, court filings, census statistics, criminal records, etc.) and information that is widely available in private hands and in which no reasonable expectation of privacy exists (e.g., professional contact directories, credential and licensing details, biographical data, and other information drawn from registries, directories, websites, and news and social media channels).
How did SIIA Protect the Public Domain in California?
First, we successfully influenced the legislature to pass AB 874 – an amendment that excludes personal information derived from public records from the CCPA’s scope. As originally enacted, the CCPA would have captured most commercial uses of public records information that qualified as “personal information.” SIIA argued, successfully, that the CCPA’s regulation of this information violated the First Amendment.
Second, SIIA influenced the CCPA’s regulatory process to lower compliance burdens for our members. The CCPA directs the California Attorney General to adopt implementing regulations to clarify the law and help companies operationalize their compliance. The first round of those regulations would have required businesses that collect information indirectly from consumers (such as those that collect information from public websites) to either contact every consumer individually to give the notices required by the CCPA or to obtain signed attestations that the notices were given from every source of the information. Compliance would have been impossible.
SIIA filed comments requesting key changes for the benefits of our members. In particular, our comments focused on how the Attorney General can cure the CCPA’s unconditional regulation of personal information in the public domain. On February 10, the Attorney General released modifications to the initial proposed regulations that eliminated the attestation requirement. These changes did not fix all of our problems with the legislation, and so we filed new comments on February 25th to advocate for further changes.
Why were these changes made?
Two words: free speech. Although privacy is an important value, it must be balanced against other important societal values, such as freedom of expression. The First Amendment protects the dissemination of information, and is especially skeptical of government attempts to restrict information in the public domain. SIIA was unique among advocates in California (and now in the federal process) to persuade legislatures that a failure to protect the public domain jeopardizes the constitutionality of privacy statutes.
Unfortunately, AB 874 did not fix the CCPA’s unconstitutional regulation of publicly available information that is widely available and derived from non-governmental sources (such as information found on public websites). This means that if your business model relies on such information – for instance, if you engage in data collection from online sources – you must either treat this information as subject to the CCPA or risk an enforcement action.
What comes next?
SIIA is still working to have public domain information excluded from the CCPA. Our current focus remains on California’s Attorney General, who has the power to issue a regulation that excludes such information from the statute’s scope. We will know if those efforts are successful when the final regulations are released (possibly in March 2020). If SIIA is not successful, SIIA members have two choices: they can either comply with the CCPA’s unconstitutional extension to this type of public domain information or they can risk an enforcement action and raise the First Amendment as a defense. Of course, these are not attractive options. SIIA will remain engaged on this issue, and look for every opportunity to continue to urge California lawmakers to amend the CCPA to fix this problem.
What about the ballot initiative?
As you may know, the original proponent of the CCPA has introduced a new initiative to amend the CCPA that is expected to appear on the November 2020 ballot. If it passes, it will significantly change the entire privacy compliance landscape in California. With respect to the public domain issue, however, both information from public records and information from widely available non-government sources will be excluded from the law. SIIA will update members as this process unfolds.
Will we have a federal privacy law?
Privacy regulation did not begin, and will not end, in California. Congress continues to work on federal privacy legislation, and many insiders are cautiously optimistic that we could have a federal privacy law within the next 2-3 years. SIIA’s policy team supports federal privacy legislation. We have argued that it must exclude public domain information, include preemption of state laws (which would mean that the federal privacy law would set one national compliance standard), and not allow private rights of action (which would allow individual consumers and class action lawyers to bring harassment lawsuits for technical violations). We’ve already had some early successes with Senate bills on the public domain issue, and we will continue to engage with all stakeholders as the legislative process moves forward.
What about other States?
It is entirely possible that more states will pass comprehensive privacy legislation this year. Washington is currently considering a new version of privacy legislation that failed last year. Illinois and Florida also have pending legislation. Other states are seeking to regulate online privacy. If these legislative proposals pass, the result will be a patchwork of overlapping, and often conflicting, privacy requirements. This is one of the reasons our policy team focuses a lot of resources on urging federal policymakers to enact a national privacy law that preempts state law. In the meantime, as more states enter the field, our policy team plans to address issues critical to our members interests, including how state privacy laws can be harmonized to reduce conflicting compliance obligations.
Should we be worried about anything internationally?
In May, it will be two years since the EU’s General Data Protection Regulation (GDPR) implemented. Since then, we have seen a global trend for privacy legislation following a GDPR model. Countries outside the EU or EEA with data protection laws the EU considers to be adequate are Argentina, Japan, and New Zealand. Brazil’s new privacy law, which is modeled on the GDPR, will implement in August 2020. India’s Parliament is on track to pass a data protection bill. And privacy continues to develop under the GDPR, both from enforcement actions and as the EU continues to work to finalize an EU Privacy Regulation. This regulation will harmonize an existing digital privacy directive with the GDPR (which protects data in all contexts, including non-digital and offline collection and processing).
SIIA’s policy team engages on global privacy trends upon the request of members. Just recently, our team filed written comments to India’s Parliament to raise concerns about a pending data protection bill that raises significant policy and compliance concerns, including data localization requirements. If global privacy trends are important to your business, stay tuned for more updates!