The California Department of Justice has opened up public forums this month as part of the Attorney General’s rulemaking process to promulgate regulations under the California Consumer Privacy Act of 2018 (CCPA). We previously discussed the Attorney General’s Office’s public statement regarding the CCPA here.
As required by the CCPA, the Attorney General must adopt certain regulations on or before July 1, 2020. In holding these public forums, the Attorney General’s Office hopes to provide an initial opportunity for the public to participate in establishing procedures to facilitate consumers’ rights under the CCPA and to provide guidance for business compliance. Specifically, the following aspects are of high priority: businesses’ obligation to disclose data collection and sharing practices to consumers; consumer rights to request deletion of data; consumer rights to opt out of having their personal information sold to third parties; and restrictions on the sale of personal information of consumers under the age of 16 without explicit consent. The Attorney General’s Office scheduled six public forums across different counties in California and invites in-person attendance or written submissions of public comments through February 2019.
Highlights from first public forums
The first public forum took place on January 8, 2019, in San Francisco. More than 100 members of the public attended the forum in person. The Attorney General’s Office kicked off the forum by inviting comments on the following topics:
• Are additional categories of personal information needed?
• Does the definition of “unique identifiers” need to be updated?
• What additional exceptions are needed to comply with state or federal law?
• What rules and procedures should be established for submitting and complying with consumer requests?
• What uniform opt-out logo/button would best promote consumer awareness?
• What types of information or language are sufficient to provide consumers with easily understandable and accessible notice of their rights?
• How should businesses verify and authenticate consumer requests?
Fourteen audience members shared comments and input, including business and trade association representatives and consumer advocates. Specifically, the following comments were provided:
• Commenters asked the Attorney General’s Office to clarify several key definitions in the CCPA, including “Business,” “Personal Information,” “Specific Pieces of Personal Information,” “Consumer” and “Sale.”
• Commenters urged the Attorney General’s Office to establish safe harbor provisions for businesses compliant with the European Union’s General Data Protection Regulation (GDPR) requirements, businesses that voluntarily adopt a template notice to be published by the Attorney General’s Office, and for the sale of information during mergers or acquisitions.
• Commenters asked the Attorney General’s Office to clarify how the CCPA would apply to targeted advertising and loyalty programs.
• Some speakers argued that the inclusion of Internet Protocol (IP) addresses and device identification information as “personal information” is overbroad and would overburden small businesses in record-keeping.
• Some speakers commented that allowing businesses to charge fees or different prices for service “reasonably related to the value provided to the consumer by the consumer’s data” would adversely impact low-income consumers and may run afoul of the original intention of the non-discrimination provision of the CCPA.
• Commenters also proposed that the Attorney General’s regulations should not require businesses to collect additional personal information in order to verify or authenticate consumer requests if the business would not otherwise collect such information.
The second public forum took place on January 14, 2019, in San Diego. The forum again had a similarly high attendance of over 100audience members, but fewer participants contributed comments. In addition to expressing similar concerns from the last public forum, including seeking clarification from the Attorney General’s Office on several key definitions, the speakers added the following comments:
• Commenters sought guidance as to what qualifies as “express notice” required by the CCPA when informing consumers of their rights and responding to consumer inquiries.
• Commenters sought guidance as to what steps businesses must take to notify consumers of data collected from third-party data providers.
• Some speakers urged the Attorney General’s Office to provide guidance on the form and categories of data that a business must provide to consumers in response to an access request in order to reduce risks for businesses.
• Commenters recommended that the Attorney General’s Office allow businesses to offer consumers the choice to delete or to opt out of the sale of some, but not all, personal information.
• Some commenters encouraged the Attorney General to proactively enforce the CCPA, considering that consumers have only a limited private right of action.
• Commenters suggested that a business’s degree of cybersecurity preparedness should be considered as an aggravating or mitigating factor in the event of a data security breach.
• Commenters also suggested that deference should be given to industry standards followed by liability insurance carriers such as the National Institute of Standards and Technology (NIST) when interpreting the CCPA.
No additional comments from AG, upcoming forums
Little was revealed in the first two public forums as to the Attorney General’s current thinking on the draft regulations. The Attorney General’s Office has publicly stated that the forums are primarily focused on listening to public comments and are not intended for the representatives from the Attorney General’s Office to engage with the audience or respond to questions.
In addition to the comments made at the public forums, privacy lawyers, professionals and members of academia have communicated other serious concerns about the implementation of the CCPA in writing. For example, some commenters have expressed concern that the CCPA was enacted to apply across all industries while ignoring many fundamental differences among affected industries. As a result, some businesses that rely heavily on consumers’ personal information in their normal operations could be significantly disrupted. Some commenters also have highlighted problems with the CCPA’s scope of application and the potential for jurisdictional conflicts.
The next four public forums are scheduled to take place on January 24 (Inland Empire/Riverside), January 25 (Los Angeles), February 5 (Sacramento) and February 13 (Fresno). After the public forum tour, the Attorney General’s Office will prepare proposed rules, which will be published for public notice in or around September 2019. The Attorney General’s Office will then solicit formal comments in writing and through televised public hearings before finalizing the rule. DBR on Data will continue to monitor and report on the latest CCPA developments.