Like GDPR, dire predictions about CCPA are likely to be wrong

CYBERSLEUTH

Nissan Corporation is heralding a new era in which our cars can scan our brains as we drive to improve driving performance. Seriously. The so-called "brain-to-vehicle" technology involves wearing a helmet with rows of electrical sensors contacting the driver's scalp. Nissan touts the technology as a way to "predict a driver's actions and detect discomfort" such as changing lanes or growing concerned that the car is going too fast. By monitoring brainwaves, the car can start the action that the driver was thinking of faster (0.2 to 0.5 seconds on average).

Nissan promises that brain-to-vehicle technology will "deliver more excitement and driving pleasure." The only thing it sounds like brain-to-vehicle tech will actually deliver is a headache and a massive opportunity for Nissan to collect (and likely store) the most personal data imaginable -- brainwaves. The possibilities are limitless for Nissan to sell such data to insurance companies, marketers, etc. -- except in California.

Last year the California Legislature passed, and Gov.Jerry Brown signed into law the California Consumer Privacy Act of 2018. Cal. Civ. Code Sections 1798.100-1798.199. Despite pressure in the last few months from technology giants to weaken its provisions, the law takes effect largely intact on Jan. 1, 2020. Legislators might have had brain-to-vehicle technology in mind. The CCPA gives consumers control over data collected by businesses, including "where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer's personality, sleep habits, biometric and health information, financial information, precise geolocation information, and social networks." Assembly Bill 375, Section 2(e).

The CCPA covers a broad range of personal information including social security number, driver's license number, email address, IP address, but also records of products or services purchased, obtained or considered; other purchasing or consuming histories or tendencies; internet activity such as browsing history, search history and a consumer's interaction with a website, application or advertisement, and geolocation data. Cal. Civ. Code Section 1798.140(o)(1)(A)(D)(F)-(G). The CCPA also protects more exotic data such as biometric and "audio, electronic, visual, thermal olfactory, or similar information." Cal. Civ. Code Section 1798.140(o)(1)(E)(H). Upon first reading, these biometric data elements seemed somewhat over the top. Yet with helpful technology such brain-to-vehicle underway, can "nose-to-oven" technology be far behind?

The ability of businesses to collect and retain vast troves of personal and physical information that provide a penetrating view into daily life is somewhat less disturbing due to the CCPA. The law gives California consumers a right to be notified what personal data is collected, and to have it deleted, not only in the collecting company's records but in the records of any company with which the data was shared. Cal. Civ. Code Section 1798.105(a)(c). This provision enables consumers to control the spider web of information sharing that resulted in debacles such as Cambridge Analytica, which got personal information from Facebook without consumers' knowledge, in order to build psychological profiles for voter analysis. Equally important, Section 1798.150(a)(1) imposes an obligation on businesses to implement and maintain reasonable security measures to protect personal information and provides a right of action to consumers to collect damages if unencrypted private data is disclosed due to unauthorized access.

The CCPA applies to any for-profit company doing business in California with gross annual revenues in excess of $25 million if it buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes; or derives 50 percent or more of its annual revenues from selling consumers' personal information. CCC Section 1798.140 (c)(1)-(2). Under this definition, essentially all large data brokers, insurance companies, cellular providers and large technology companies will be subject to the CCPA requirements.

There's no doubt that businesses will have to expend time and money to comply with the CCPA. But predictions of commercial catastrophe are overblown. The closest equivalent to the CCPA is the European Union's General Data Protection Regulation, which has been in effect for 14 months. When the GDPR was passed, there was a similar outcry that it was onerous and would cripple companies' ability to do business. Yet commerce continues in the EU. On average, companies in the EU report spending $3 million annually on GDPR compliance, according to the Practicing Law Institute.

Fines, however, have been growing. In the first year that the GDPR was in effect, 94,000 complaints were filed, and fines totaled €56 million, but the substantial majority of those fines was a single €50 million fine against Google, for allegedly failing to obtain consent for using consumer data for targeted advertising. Google used pre-checked boxes to obtain consent, and the French data protection agency, CNIL found such approach to be insufficient consent. Google has appealed.

Recently, more large fines against high profile companies have been assessed. In July, Marriott was notified that it would be fined €99 million for the data breach reported in late 2018 that exposed 339 million guest records globally, of which around 30 million related to residents of 31 countries in the European Economic Area. Seven million related to UK residents. Also in July, British Airways was notified it would be fined £183 million ($227 million) for a data breach in June 2018 in which customer data was diverted to a fraudulent website. Personal data of approximately 500,000 customers was exposed.

To be sure the first year of the GDPR has yielded compliance questions and legal challenges, but the dire predictions have been largely wrong. The same is likely true when the CCPA takes effect next year. 