The 2018 California Consumer Privacy Act (CCPA) requires the California Attorney General's Office (AGO) to promulgate regulations related to the CCPA by July 1, 2020. The AGO is holding a series of public forums and accepting written comments regarding its CCPA rulemaking. A seventh public forum was recently added to the schedule and will be held at Stanford Law School on March 5, 2019.
The AGO held its third and fourth public forums in Riverside on January 24 and Los Angeles on January 25, respectively. The following is an overview of points of interest that arose from the most recent forums. A summary of the first AGO forum can be found here.
- As with the prior forums, panels of AGO staff received public comments without directly responding to them.
- Attendance ranged from approximately 30 people at the Riverside forum (with five people speaking) to more than 120 people at the Los Angeles forum (with 20 people speaking).
- At this point, AGO staff anticipate releasing CCPA-related regulations in the fall of 2019. A period of public comment with additional public forums will follow the release of the rules. Updates on CCPA rulemaking can be found here.
- The following points of interest, among others, were raised by speakers at the forums:
- Consumer advocates suggested that any data collected by a company should be subject to the CCPA's disclosure requirements, whether or not defined as personal information under the CCPA. They also asked that IP addresses alone (without additional information) and fingerprints be explicitly listed as unique identifiers.
- Industry advocates questioned whether recorded telephone calls constitute personal information under the CCPA.
- Attorney commentators suggested that identifiers should be separated into two categories—sensitive and nonsensitive information—with the former being the only type that is subject to the CCPA. They recommended that "sensitive" identifiers be limited to information that could expose a consumer to identity theft or other particularly sensitive data (e.g., medical information, fingerprints and other biometric information).
- Consumer advocates claimed that permitting fees to be charged in lieu of sharing data would disproportionately affect low-income consumers. One advocate recommended that companies that charge fees be required to publicly disclose revenue reporting at least annually to establish that the fees charged are directly related to the value of the data collected.
- Industry advocates emphasized the need for companies to be able to charge a reasonable fee and requested clarification on exactly how the AGO would determine the reasonableness of fees.
- Industry advocates and attorney commentators recommended that there be a specific exemption for employee data.
Need for Safe Harbors
- Industry advocates and attorney commentators noted the importance of establishing safe harbors from both AGO enforcement and private rights of action for companies that seek to comply with the CCPA.
- Industry advocates asked that template language, forms or mechanisms be provided to enable companies that adopt those templates to fall within a safe harbor (e.g., consumer request verifications, minimum security standards).
- Industry advocates asked that a process be created to enable companies to be certified as in compliance with CCPA requirements.
- Consumer advocates asked that the opt-out process be limited to a short, one- to two-click system. They stressed that the logo should appear on each webpage of a company and not be limited to only a company's homepage.
- Industry advocates asked that businesses be required to post the opt-out logo on their homepages only. They also recommended that the opt-out logo follow a similar model to the existing self-regulatory program AdChoices.
Internal Inconsistencies/Clarification of Terms
- Industry advocates commented on how
inconsistent and undefined terminology in the CCPA makes it
difficult for businesses to determine the CCPA's applicability.
They asked for clarification on the following points, among
- That companies are not required to collect or store more information than they would otherwise in order to comply with the CCPA.
- Whether the term "technically feasible" applies to a company's internal abilities or, instead, implies a duty to use third-party capabilities where a company does not have the internal capacity.
- Whether carveouts for the definition of "selling" exist where ongoing business requires the transfer of personal information (e.g., with financial institutions) or where an entire business is sold (e.g., a merger).
- What "household" means and how the inclusion of "household" data affects the scope of the CCPA.
- Attorney commentators recommended changes to sections of the CCPA that appear inconsistent with other sections. Among others, they highlighted the apparent discord between sections that empower consumers to request and receive (if their request is verified) specific pieces of information that a company collects about them, and those sections that obligate businesses to identify only the categories of information that they collect about consumers.
Aligning the CCPA with other Regulatory Regimes
- Industry advocates and attorney commentators recommended aligning the CCPA's regulatory regime with existing regimes to facilitate compliance, including the European Union's General Data Protection Regulation (GDPR). One advocate asked that companies that are able to establish their compliance with the GDPR be exempted from the obligations of the CCPA.
The AGO will hold three additional public forums over the coming months: February 5 in Sacramento, February 13 in Fresno and March 5 at Stanford. Information on those forums is available at this link.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.