Protecting consumer data privacy in the age of artificial intelligence and increased digital commerce is a growing concern. In June 2018, the California Consumer Privacy Act (CCPA) introduced provisions to protect consumers and became the first U.S. law that can be viewed as a response to GDPR. Going into effect on January 1, 2020, legislation of this scope has far-reaching tendrils that may breed unintentional consequences.
Let’s explore some of the implications of this law in the context of a recent letter sent by Clark Kent to a large internet company.
++++++++++++++++++++++++++++++++
Mr. Clark Kent
1938 Comicbook Ln.
Metropolis, CA 90999
January 1, 2020
Chief Information Officer
Totally Not Evil Internet Corp.
Dear sir or madam,
I write this letter to exercise my rights under the California Consumer Privacy Act (CCPA). As you are no doubt aware, the CCPA became effective today. I would like to be honest with you. You’ve probably guessed why I’m writing this. I have read about the advances of your company’s facial recognition algorithms and machine learning research. I expect it was a shock when your software figured out what I look like without glasses.
Since your company meets all three of the thresholds outlined in the CCPA (even though your company only needs to meet one), I hope that you will take my letter seriously. Specifically, from my cursory research, your company (1) has annual gross revenue over $25 million; (2) annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices for commercial purposes; and (3) derives 50% or more of your annual revenue from selling consumer personal information.
Now that we have that out of the way, I want to voice my concerns. A surprisingly broad array of information is covered by the CCPA. For example, “personal information” is defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (And, as a “consumer” under the CCPA is merely a natural person who is a resident of California—that means me.) I note that the definition of personal information specifically includes biometric information, as well as audio, electronic, visual, thermal, olfactory or other similar information. It sure seems that any photos, videos, audio recordings, etc., of Superman in your possession could reasonably be indirectly linked to myself and should therefore be considered my personal information. Because the CCPA covers information that could be reasonably indirectly linked to my entire household, I think you should also include such information or data pertaining to my dog, Krypto, in this request.
Please consider yourself lucky if you do not have any olfactory information obtained from Krypto, but, if you do, please include it in this request as well.
Before you object on the grounds that photos of Superman (and Krypto) are publicly available information (and therefore not covered by the CCPA), I should point out that the drafters of the CCPA saw fit to define the term “publicly available” very narrowly: “For these purposes, ‘publicly available’ means information that is lawfully made available from federal, state, or local government records.” So, for instance, it seems to me that when one of your users takes a selfie with Superman after being rescued from a burning building, collapsing bridge, or the like, and that user’s smartphone automatically uploads that photo to your cloud storage service, I think I have a colorable argument that such selfie contains personal information about me and your company must disclose to me if it subsequently uses that photo for business or commercial purposes, such as including it in a training set for your facial recognition software .
Perhaps you disagree. I can see where you might think the CCPA is unclear. But the real question is whether you want to spend the resources necessary to fight the lawsuit that I am able to bring against Totally Not Evil Internet Corp. in the event that you do not encrypt a photo like that and there is any unauthorized access and exfiltration, theft or disclosure of that photo. The nature of my secrets being as delicate as they are, I would be interested to see how a court views “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” How secure is your data security? Please remember that under the CCPA, I could seek recovery of actual damages. Considering the last time someone found out my secret identity it resulted in several city blocks being reduced to rubble, you might want to remember that actual damages in my case exist on a considerable scale.
Accordingly, I would like to request the following:
-
- That, per Cal. Civ. Code section 1798.100, you reveal to me all categories of personal information that you have collected in relation to me or my household (please include Krypto, Superman, and, as things have been going very well lately, Lois Lane), as well as the specific pieces of information you have collected (yes, including olfactory information).
- That, per Cal. Civ. Code section 1798.105, you delete all such information.
- That, per Cal. Civ. Code section 1798.110, you disclose to me the categories of sources from which my personal information was collected and the categories of third parties with whom you share my personal information.
- That, per Cal. Civ. Code section 1798.110, you disclose to me the business or commercial purposes for collecting or sharing my personal information.
- That, per Cal. Civ. Code section 1798.115, you disclose whether or not you have sold or disclosed my personal information to third parties, and if so, the categories of my personal information that Totally Not Evil Internet Corp. has sold or disclosed to third parties.
- And lastly, that, per Cal. Civ. Code section 1798.120, you cease selling my personal information to third parties.
As provided by Cal. Civ. Code section 1798.130, I shall await your complete response to the above requests within 45 days. And should you try to hide the full extent to which you have collected and used my personal information, I will remind you that, in addition to risking significant penalties that the California Attorney General can seek against you, I work with the best investigative reporter in the business.
Sincerely,
Clark J. Kent
(P.S. I expect you will shortly receive similar letters from my friends, Diana, Hal and Oliver.)
++++++++++++++++++++++++++++++++
As you can see from Mr. Kent’s letter, the CCPA is complex legislation that impacts many aspects of today’s consumer-facing commerce. Under the CCPA, consumers are entitled to seek broad categories of information from businesses—requiring businesses to let a requesting consumer know what personal information is collected from that consumer, the sources from which that information is collected and the business purposes for collecting or selling the information and third parties with which the information is shared. There is no question that this law is forcing businesses to change how they handle data. What businesses should ask themselves is whether they are implementing necessary changes fast enough to avoid the expensive fines, class action suits and injunctions that can result from non-compliance with the CCPA.
We’ve previously written about “tweet-less, picture-less,” computer-operated accounts or bots, that make one appear more popular—a.k.a. influential on social media—than one actually is. Recently, legislators and law enforcement agencies have moved to crack down on bots, their evil cousins known as sock puppets, and other deceptive social engagement practices. Specifically, California passed a law that goes into effect in July 2019 banning the undisclosed use of bots to communicate or interact with a person for knowingly deceiving that person to influence commercial transactions or vote in an election. Meanwhile, New York and Florida announced settlements with Devumi LLC, a company that grossed over $15 million in revenue by creating, packaging and selling fake social media likes, followers and posts after the media exposed Devumi’s deceptive activities. The Devumi settlements mark the first of their kind indicating that such activity constitutes illegal deception of the public and, to the extent Devumi used stolen identities for its online activities, illegal impersonation.
