January 17, 2019 The Honorable Toni Atkins Senate President Pro Tempore State Capitol, Room 205 The Honorable Patricia Bates Senate Minority Leader State Capitol, Room 305 The Honorable Anthony Rendon Assembly Speaker State Capitol, Room 219 The Honorable Marie Waldron Assembly Republican Leader State Capitol, Room 3104 Dear Senators and Assemblymembers: We are California-licensed or -based privacy lawyers, professionals, and law professors. We write to express our concerns about the California Consumer Privacy Act (“CCPA”) and its urgent need for major changes. This letter highlights six areas warranting extra consideration as the California legislature endeavors to improve the law. This is not a comprehensive or detailed list of all desirable changes to the CCPA, but we would be happy to work with you or your staff to develop such a list or provide more specifics about our concerns. 1) Application to Stakeholders Who Did Not Provide Input. Most US privacy laws are “sectoral-based,” i.e., they are optimized for the needs of specific industries. In contrast, the CCPA applies across all industries, with only limited exceptions. Because of the CCPA’s rushed approval process, the California legislature did not hear from thousands of different industries affected by the CCPA. The CCPA will likely need many changes to properly accommodate this wide range of industries. As the legislature works to improve the CCPA, it would be beneficial to conduct the kind of broad-based fact gathering from multiple constituencies that the legislature normally does when evaluating a major law. 2) Compliance Costs for Small Businesses. The CCPA unsuccessfully tried to exclude small businesses from its requirements. The definition of “business” likely reaches many small businesses, including low-margin retail businesses that store 137 unique credit cards a day and tiny ad-supported websites/blogs that get only 137 unique visitors per day. These businesses cannot afford the CCPA’s substantial compliance costs, so they may either ignore the law or exit the market. To avoid these undesirable results, the CCPA should increase its compliance thresholds or scale compliance obligations to business size (or similar proxies). 3) Inconsistencies with the GDPR. Many California businesses recently spent a lot of money on GDPR compliance. Substantial differences between the GDPR and CCPA will impose a new 1. and expensive round of compliance work on those businesses. Worse, those extra expenses probably will not incrementally enhance California consumers’ privacy. The legislature could help by harmonizing the CCPA and the GDPR to eliminate the need for two different compliance programs; or by providing a CCPA safe harbor for GDPR-compliant businesses. 4) The CCPA Counterproductively Undermines Consumer Privacy. Several provisions of the CCPA potentially undermine consumer privacy. For example, the law still seems to mistakenly require businesses to publicly disclose consumers’ private data (1798.110(c)(5)). More generally, to enable the required access, erasure, and portability of personal information, businesses may need to make all of their data identifiable, even data they would prefer to store in non-identifiable ways. Furthermore, several well-publicized incidents have demonstrated how the GDPR’s access and data portability mechanisms expose consumers to additional risks of disclosure to malicious hackers or third parties. The CCPA’s data access and portability provisions create similar risks. To avoid this unwanted result, businesses—at substantial expense—try to confirm requestors’ identities, which counterproductively may require the businesses to collect more personal information from consumers. As a result, the CCPA’s data access, erasure, and portability provisions should be calibrated to ensure they enhance, rather than reduce, consumer privacy. 5) Overbroad Definitions. The definitions are the CCPA’s foundation, and their clarity will dictate the law’s success or failure. Numerous statutory definitions are overbroad, imprecise, or simply unhelpful. Without amendment, they will cause substantial confusion and compliance hardships. We have already mentioned the miscalibrated definition of “business.” Other examples include:      The definition of “consumer” problematically extends to company employees and business-to-business contacts. The definition of “personal information” has numerous problems. Most importantly, it applies to data that no consumer would ever consider identifiable. Also, some specific examples of personal information, such as “thermal” and “olfactory” information, are nonsensical, as is the current scope and treatment of “publicly available” information. The repeated references to “households”—a concept not in the GDPR—unhelpfully expands the definition of one person’s “personal information” to reach data about other people. It also means that a business’ data practices towards one person can affect other people in unexpected and potentially unwanted ways. The definition of “sale” does not clarify when data transfers or sharing are done for “valuable consideration,” a question of critical importance to many California businesses. The definitions of “service provider” and “third party” are unclear, and they diverge from the GDPR’s definitions of data controllers and data processors. Furthermore, the two definitions leave open some key gaps, such as the treatment of non-profit vendors. 6) Extraterritorial Reach. The CCPA purports to reach activity outside of California. Two examples: 2. * the law claims to regulate businesses with no nexus with California other than being affiliates of California-based businesses. * the thresholds for a regulated “business” apparently count non-California-based activities. For example, the $25M threshold equally applies to businesses that receive all revenues from California residents and businesses that receive only $1 of revenue from California residents. If so, a business without any ties to California must comply with the CCPA (at substantial expense) the moment it accepts a single dollar from a California resident. The CCPA’s purported application to activity outside of California raises substantial Constitutional concerns and potentially exposes the state to expensive and distracting litigation. More importantly, it causes tremendous uncertainty and possibly wasted expenditures for businesses without real ties to California. The legislature should clarify the CCPA’s applicability to activities outside California. *** Everyone has acknowledged that the CCPA remains a work-in-progress, but there may be some misapprehensions about the scope and scale of the required changes still remaining. In our view, the CCPA needs many substantial changes before it becomes a law that truly benefits California. We appreciate your work on these important matters. Regards, Professor Eric Goldman Co-Director, High Tech Law Institute Co-Supervisor, Privacy Law Certificate Santa Clara University School of Law 500 El Camino Real Santa Clara, CA 95053 408-554-4369 egoldman@gmail.com …on behalf of himself and the signatories listed on the subsequent page. All signatories are signing as individuals and not on behalf of their employers; any listed affiliations are for identification purposes only. 3. Signatories: Heather A. Antoine Mania Aslan, CIPP/US, CIPP/E, CIPM Mila Balke Deepali Brahmbhatt, One LLP and CIPP/US Rafae Bhatti, CIPP/US, CIPM Alan Chapell, Chapell & Associates and CIPP/US Allison Cohen, Loeb & Loeb and CIPP/US Brendan Comstock, CIPP/US Tanya Forsheit, Frankfurt Kurnit Klein & Selz and CIPP/US, CIPT Also: Adjunct Professor, Loyola Law School Alan L. Friel, BakerHostetler and CIPP/US, CIPM Also: Adjunct Professor, Loyola Law School Elizabeth Fu, CIPP/US Cathy Gellis Daniel Goldberg, Frankfurt Kurnit Klein & Selz and CIPP/US Mike Godwin Porscha Guasch, CIPP/US Ganka Hadjipetrova, CIPP/US, CIPM Michael Hellbusch, Rutan & Tucker and CIPP/US, CIPP/E, CIPM Deborah Shinbein Howitt, Lewis Bess Williams & Weese and CIPP/US Lily Lei Kang, CIPP/US Bennet Kelley, Internet Law Center Irene Koulouris, CIPP/US Amy Lawrence, Frankfurt Kurnit Klein & Selz and CIPP/US Letitia Lee, CIPP/US Christine Lyon, Morrison & Foerster Olivia Manning, CIPP/US, CIPM Jess Miers, CIPP/US Chiara Portner, Hopkins & Carley, CIPP/US Hannah Poteat, CIPP/US Kristie D. Prinz Kristen Psaty, CIPP/US Michael G. Rhodes, Cooley LLP Andra Robinson Michael Scapin, CIPP/US Andrew Serwin, Morrison & Foerster and CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM Berin Szoka Brent Tuttle, CIPP/US, CIPP/E, CIPT Pamela C. Vavra, Pamela C. Vavra Law Offices Sophia Vogt, CIPP/US Charlie Vuong, CIPP/US Randy Wilson, CIPP/US, CIPP/EU, CIPM 4.