Businesses, Tech Trade Groups Condemn Location Privacy Bill Revival
Arguing that the California Consumer Privacy Act (CCPA) does enough to protect consumers, national tech trade groups and California business associations opposed a revised location privacy bill now pending in the California Senate. In a Tuesday letter to the body’s Judiciary Committee, ahead of a scheduled July 15 hearing on AB-322 and many other bills, the groups said they opposed the measure unless it’s amended.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The location privacy measure, which would ban the sale of consumers’ precise geolocation data, seemed to die in May, when it was numbered AB-1355, but California legislators resurrected the proposal by replacing the text of AB-322 via a procedural tactic called “gut and amend.” Consumer Reports supported the revival (see 2506240071).
“We appreciate the approach taken in AB 322 in comparison to AB 1355 from earlier this year, which appeared to operate as though protections do not exist here in California for [sensitive personal information (PI)] and precise geolocation data and would have created far more compliance issues and concerns for CCPA-covered businesses and consumers alike,” wrote the industry groups, which included TechNet, the Software & Information Industry Association, the Security Industry Association and the California Chamber of Commerce.
Despite that, AB-322’s “approach could create overly burdensome if not infeasible requirements that do not ultimately serve the purpose of preventing the misuse of precise geolocation data,” they said in the letter. “Unlike most states, California already affords consumers extensive protections over their precise geolocation as a form of sensitive PI under the CCPA as outlined in detail below.”
“While we do not question [that] the bill is well-intentioned and understand it may be tempting to explicitly restate elements of these existing rights in a new bill as they apply to precise geolocation given current events, doing so suggests that existing laws are somehow deficient or inapplicable,” the associations added. “This risks creating confusion about the scope of current law and, paradoxically, may weaken those protections.”
The bill has changed a lot since AB-1355 failed, wrote Future of Privacy Forum Senior Director Keir Lamont in a June 27 newsletter on LinkedIn. Compared to AB-1355, AB-322 has definitions more like existing California privacy laws, he said. “Most significantly, the bill would no longer create a new category of protected location data that would include IP addresses and instead use the existing CCPA’s 1,850 foot radius standard for ‘precise geolocation information.’”
Also, unlike the previous version, AB-322 wouldn’t require businesses to “post a standalone location data privacy policy,” Lamont said. “However, these notices are now more confusingly drafted and could be read as requiring prominent disclosures to individuals for the duration that their precise geolocation data is collected, as is the case with some AADCs.”
The new version also modifies rules for how long data may be retained, he said. “For example, data processed for a security purpose could now be retained for 30 days rather than just 24 hours. While this provides more flexibility for combating threats, a strict thirty-day timeline may still pose operational challenges for maintaining cybersecurity.”
Among other suggested changes, the industry associations recommended amending those retention limits, which, they said, “would impose arbitrary limits that would impede businesses’ ability to conduct basic activities, and put them in legal jeopardy.”