Tag Archives: becerra

Privacy is too complicated for California to understand, mobile industry panel says

by Steve Blum • , , , ,

Flashers

California’s consumer data privacy law will be the default privacy standard across the U.S., at least for the coming year, and that’s upsetting the Washington, D.C. crowd. A panel discussion on privacy legislation at the Mobile World Congress trade show in Los Angeles last week featured three industry lobbyists, the head of an industry front organisation and a Federal Trade Commission lawyer. All of them are based in D.C., and shared Beltway-centric advice on who should be calling the shots.

The panel was dismissive of state lawmakers’ ability to deal with the complexities of issues that lobbyists and federal regulators have been dancing with since at least 2012, when the FTC published a lengthy set of consumer privacy protection recommendations. Michelle Rosenthal, a former FTC lawyer who left through D.C.’s revolving door and is now a staff lobbyist for T-Mobile, worked on that report and praised its sophistication and subtlety – they even used a whiteboard!

On the other hand, CCPA “was drafted very quickly and passed very quickly”, Rosenthal said. “A lot of the state legislation – which I won’t get into – you know, unfortunately happened so quickly that that process isn’t a thing”.

The discussion would have been better informed if organisers invited someone from, say, California or Nevada who could explain what their thing is. Electronic privacy has long been a policy issue in California, but Sacramento lawmakers didn’t “jump in” until federal regulators tore up their own rules. Even so, the first attempt to pass a Californian privacy law was shot down by the same big telecoms and tech companies that have been so helpful in D.C.

The panel members offered a not-so-surprising consensus on three points:

  • The federal government should set consumer privacy rules because everything will be complicated and everyone will be confused if state legislatures do it.
  • Congress isn’t going to do anything about it this year, and next year isn’t looking good either.
  • The California Consumer Privacy Act (CCPA), which takes effect in January, will be the de facto privacy rulebook for the rest of the country, at least until something even tougher comes along. Which could easily happen, because other states, including Nevada and Maine, are in the game now.

CCPA “in effect, could become, sort of, the law of the land as it becomes implemented”, said Melanie Tiano, privacy and cybersecurity director for CTIA, the mobile industry’s D.C. lobbying group (and a co-sponsor of the show).

“Firms just ratchet up to the highest standard, and that’s sort of the general rule of thumb, and that seems manageable”, said Jared Ho, an FTC privacy attorney. “It seems like one of the greatest concerns is going to be potential conflict”.

Privacy panel mwc la 2019 23oct2019

Draft rules for businesses add enforcement detail to California’s consumer privacy law

by Steve Blum • , , ,

Gagged by privacy

California’s tough consumer privacy law technically takes effect in January, but enforcement won’t begin until next July. The California attorney general has the job of writing the detailed rules that businesses will have to follow, and then enforcing those rules.

The first draft of those new rules was posted for public review and comment. They apply to businesses with more than $25 million in “annual gross revenues”, or collects or deals in “the personal information of 50,000 or more consumers, households, or devices”, or that deal in people’s personal information for a living.

Such businesses have to let customers know what kinds of information they’re collecting, and give them an easy way to opt out of any sale of their info to third parties. The California Consumer Privacy Act was designed with online businesses in mind – the default assumption is that businesses will post notices and receive opt out orders via their websites – but it applies equally to companies that have no online presence at all, or that only interact with customers in person. The draft rules cover those situations, too.

There are separate and stricter rules about gathering information from children and teens.

Opting out is not supposed to result in higher prices for consumers, unless a discount offered in exchange for permission to sell is “reasonably related to the value of the consumer’s data”. Otherwise, discounts have to be available on a non-discriminatory basis to all customers. The draft doesn’t provide a lot of guidance as to what’s discriminatory and what’s not, but it does offer a couple of examples, such as…

A music streaming business offers a free service and a premium service that costs $5 per month. If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business.

Public hearings are scheduled around California to get input on the draft, and written comments can be submitted by the 6 December 2019 deadline.

California Department of Justice CCPA documents:
Proposed Text, California Consumer Privacy Act Regulations, 11 October 2019
Initial Statement Of Reasons, Proposed Adoption of California Consumer Privacy Act Regulations, 11 October 2019
Notice of Proposed Rulemaking Action, California Consumer Privacy Act, 11 Oct 2019
Economic and Fiscal Impact Statement, California Consumer Privacy Act Regulations, 14 August 2019
Standardised Regulatory Impact Assessment, California Consumer Privacy Act of 2018 Regulations, 14 August 2019

California’s consumer data privacy law survives lobbyist blitz, more or less intact

by Steve Blum • , , ,

Sf naked the streets

Big tech, big telecom and big business made a big push in the legislature to water down California’s landmark data privacy law, AKA the California consumer privacy act. They won some minor victories as the 2019 session ended, but did not succeed in making major changes.

A blog post by Christina Hyun Jin Kroll in the National Law Review has a good run down of the bills that did and didn’t make it out of the legislature and onto governor Gavin Newsom’s desk. Companies won a year’s delay in implementation of some of the protections that apply to employment-related information and data collected as a result of some business-to-business transactions, and expanded the scope of what can be considered “public information” that’s not subject to privacy restrictions. “Deidentified” and/or “aggregate” consumer information was also excluded – it’s no longer defined as “personal information”.

The battleground now moves out of the California legislature and into the governor’s and attorney general’s offices, and to federal lawmakers in Washington, D.C. Newsom has to decide whether to sign the bills into law (it’s expected he will). California attorney general Xavier Becerra has to issue detailed rules for complying with and enforcing CCPA. The law technically takes effect in January, but Becerra’s rules won’t kick in until July. His first draft is expected in the next few weeks.

So far, California is out in front of both the federal government and other states on privacy policy, which is making business interests nervous. Dozens of CEOs from major corporations signed a letter addressed to key congressional leaders that urges them to preempt state laws, because otherwise their customers might be confused by “rules that may change depending upon the state in which they reside, the state in which they are accessing the Internet, and the state in which the company’s operation is providing those resources or services”. Their altruism is touching.

There seems to be widespread agreement in D.C. that something should be done, but, naturally, no one can agree on what that something is. For now, California’s data privacy law is on track to become the de facto national standard.

CPUC won’t release evidence given to state, federal criminal investigators

by Steve Blum • , , ,

No perp walk for Peevey. Yet.

The California Public Utilities Commission wants to hold onto documents it delivered to state and federal investigators looking into possible illegal backroom dealings between former commission president Michael Peevey, a former Pacific Gas and Electric company lobbyist and, potentially, others. That’s the gist of a draft decision released yesterday that would, if approved by the commission next month, reject a public records disclosure request from a San Diego trial lawyer.

On the one hand, the draft is a straightforward explanation of grand jury secrecy. On the other, it details how the CPUC delivered two disks full of evidence to a state criminal grand jury and also cooperated with a federal criminal investigation. The draft confirms what’s already been widely reported: federal and state prosecutors launched criminal investigations into how Peevey handled the CPUC’s response to a fatal PG&E gas line explosion in San Bruno…

The Commission received grand jury subpoenas from the U.S. Attorney’s Office in San Francisco, which had a joint task force with the [California] Attorney General. The federal and state grand jury subpoenas overlapped on subject matter. The U.S. Attorney’s Office specifically admonished that disclosure of any of its issued subpoenas or the Commission’s response could impede or obstruct its investigation. It directed the Commission not to disclose the subpoenas or its response to any third party, including [California public records act] requests, for the indefinite future. Since the U.S. Attorney’s Office and the Attorney General’s investigations overlapped, the task force included state prosecutors, and the documents sought in the state grand jury subpoenas are similar to those covered by the federal grand jury subpoenas, the Commission cannot disclose the subpoenas or its responses. Doing so could impinge on the integrity of the criminal investigations.

The draft confirms that a major focus of the criminal investigations is “how and to whom various cases were assigned to administrative law judges”.

Peevey ended his 12 year stint as CPUC president in 2015. So far, neither investigation – California or federal – has resulted in any criminal charges.

New York, California, 19 other states stake out legal grounds for net neutrality appeal

by Steve Blum • , , , ,

California’s attorney general (AG), Xavier Becerra, joined a speculative lawsuit launched by his New York counterpart aimed at overturning the Federal Communication Commission’s decision to end broadband’s status as a common carrier service and eliminate network neutrality rules. Becerra’s press release might lead you to believe it was his idea, but it was New York AG Eric Schneiderman who led the effort and then convinced AGs from 20 other states, including California, to sign on.

It’s speculative because, as the filing acknowledges, it’s premature. The final-final version of the FCC’s decision hasn’t been published in the Federal Register yet. That’s when the starting gun goes off in the race to the courthouse.

Schneiderman’s petition is just a placeholder, simply claiming that the FCC decision violates federal law. His press release better explains the case against it…

Under the Administrative Procedure Act, the FCC cannot make “arbitrary and capricious” changes to existing policies, such as net neutrality. The FCC’s new rule fails to justify the Commission’s departure from its long-standing policy and practice of defending net neutrality, while misinterpreting and disregarding critical record evidence on industry practices and harm to consumers and businesses…Moreover, the rule wrongly reclassifies broadband internet as a Title I information service, rather than a Title II telecommunications service, based on an erroneous and unreasonable interpretation of the Telecommunications Act. Finally, the rule improperly and unlawfully includes sweeping preemption of state and local laws.

It’s the “arbitrary and capricious” bit that has the best chance of getting traction in a federal appeals court. Judges tend to defer to the FCC’s subject matter expert status on technical issues and have supported wide preemption of state and local discretion. But when the FCC makes those kinds of decisions, it has to exercise due diligence. In coming to the net neutrality decision it arguably didn’t. Commissioner Jessica Rosenworcel certainly argues that, and she was there for much of it.

California’s new broadband cop talks tough but takes cash from telecoms lobbyists

by Steve Blum • , , , ,

The end of network neutrality and other common carrier rules throws broadband companies back under general consumer protection laws. Those are enforced, as Federal Communications Commission chair Ajit Pai put it, by “our nation’s premier consumer protection cop”, the Federal Trade Commission, and by state attorneys general.

In California, that’s Xavier Becerra, appointed by governor Jerry Brown when Kamala Harris moved to the U.S. senate. He has sole responsibility for anti-trust law enforcement and shares consumer protection duties with county prosecutors.

Becerra raised “alarm bells” before the net neutrality decision and “decried” it afterwards , but has yet to say whether he’s going to pick up the regulatory ball that the FCC dropped. In an email, his press office said “we are reviewing the FCC’s order repealing the Net Neutrality rules and evaluating our legal options”, but didn’t respond to a follow up question about timing.

He’s gained a lot of attention by filing lawsuit after lawsuit against the Trump administration, which is a cheap and easy thing for a democrat to do, but Becerra’s appetite for taking on entrenched interests in California is much harder to discern. On the other hand, he’s hungry for cash from companies he’s supposed to be policing. Companies that were very generous to federal politicians while the action was in Washington, D.C.

According to FollowTheMoney.org, Becerra has already collected payments from AT&T ($1,500), Comcast ($7,500, both directly and funnelled through corporate lobbyists) and Charter ($1,500) for his 2018 election bid.

That’s just the start, since he’s only raised about $2 million for his campaign, which is less than a tenth of what it can cost to win a statewide race in California. So he has a financial incentive to make deep pocketed donors happy. How Becerra balances the responsibilities of his job against the cost of keeping it will determine, as his press office puts it, whether Californians will “continue to have free, open, and equal access to the Internet”.