Fifteen organizations urge CA legislature to strengthen the CCPA

Fifteen organizations write in support of AB 3119, which will uphold and expand privacy protections provided by the California Consumer Privacy Act (CCPA). Consumers are constantly tracked: online, through apps, and in the physical world. Though the CCPA gives adult consumers the right to opt-out of the sale of their information, companies can still collect and share unnecessary and excessive data. This bill will ensure that all consumers’ data will be protected by default, guarding against the widespread dissemination of their personal information—often in ways that can be harmful and discriminatory.

Now more than ever, consumers need strong rules to ensure their privacy. Tech companies are working to create new tools to help counter the COVID-19 crisis, such as contact-tracing apps and COVID screening services, but consumers shouldn’t have to give up their right to privacy to protect their health. For example, a number of apps are in development to help public health agencies and consumers to engage in accelerated contact-tracing, based on Apple and Google’s proposed Bluetooth-based API. There should be, at the very least, reasonable limits on companies’ data collection and sharing of consumers’ sensitive data pursuant to these services, limits that are backed up by law. Such limits will not only protect consumers but also enhance their trust in any technologies rolled out to fight the pandemic. Currently, a majority of Americans don’t trust companies to protect their health data, which could pose a barrier to consumers’ use of contact-tracing technology.

Without appropriate protections, companies will likely collect, use, share, and retain more data than they need. For example, Verily, a subsidiary of Alphabet, Google’s parent company, has launched a new service in California to help consumers determine whether or not coronavirus testing is appropriate, and requires consumers to login with their Google accounts. Since this information is not covered by HIPAA, the companies involved can do whatever they like with the data. Despite letters from Congress calling on Verily to put limits on this data use, the company has thus far refused to make meaningful changes—and right now no law requires it to do so.

The CCPA offers important protections, but it is not sufficient to ensure that consumers are in control of their data. The CCPA does not restrain companies’ collection of data, and it leaves adult consumers to identify every company that is selling their information and submitting an opt-out request. This is an overwhelming task, especially because companies have thrown up roadblocks to consumers seeking to enjoy their privacy rights—and many have declined to comply at all. Consumers need data minimization—meaning data collection that is reasonably necessary to operate the service requested by the consumer, in addition to greater control over data sharing—which is included in this bill. These protections are incredibly popular: a recent survey found that 94% of likely California voters think companies should get your permission before sharing your data.

This bill advances protections at a time when consumer privacy is most under threat. However, the bill has been denied a hearing despite the urgent need to address the issue. We urge your support to help push the bill through the legislative process, as we work with the author to improve it even more.

Respectfully submitted,

Access Humboldt
ACLU of California
Brave
Campaign for a Commercial-Free Childhood
Center for Digital Democracy
Common Sense
Consumer Action
Consumer Federation of America
Consumer Reports
Electronic Frontier Foundation
Indivisible Sacramento
Media Alliance
Oakland Privacy
Privacy Rights Clearinghouse
X-Lab