The Office of the California Attorney General (AG) made its fourth stop on its statewide California Consumer Privacy Act listening tour, holding in Los Angeles a public forum on the CCPA. The forums invite public comment as the AG prepares regulations for implementing and enforcing the law. Although the AG specifically requested comment on the seven areas identified in the law for the AG's regulation,1 it was clear that some categories caught the attention of the public more than others. And even though the forum was structured to allow participants to provide ideas and suggestions (the AG did not respond to comments or questions presented), most commentators asked for clarity and specific direction from the AG regulations, to help decipher the reach of CCPA and its compliance obligations.
Categories of Personal Information
The CCPA's expansive definition of Person Information (PI) was repeatedly questioned, but also occasionally praised, as two sides emerged in a civilized debate: consumer advocates anxious for greater privacy protections, and business representatives seeking guidance on how to implement those protections. It was clear that many companies are finding it difficult to categorize and identify what is PI under the law and what "capable of being associated with" and "household" actually include. Commentators expressed confusion as to whether employee data would be within the scope of the CCPA and whether PI included all human resources data for former and existing employees. They also asked for clarification as to whether de-identified and aggregate data is excluded. One commentator suggested taking up a GDPR-type approach of distinguishing between sensitive PI, and the many categories of PI that could be considered less sensitive. On the flip side, it was argued that the definition of PI is clear, and that the AG should not be receptive to justifications for any failures to disclose all PI to consumers who request it. Despite the back and forth on what the definition of PI does include, there were no suggestions for expanding the definition to additional categories.
There appeared to be consensus among many commentators speaking on the subject that a unified framework with a logo – similar to the AdChoices program and icon – would be preferable to each business implementing its own "Do Not Sell My Info" link. A graphic logo was suggested (instead of text) because of the negative connotation of "sell," and because businesses did not believe that term accurately reflected the sharing activities that more often occur with third parties. Other commentators suggested borrowing principles that mirror FTC's guidance regarding placement of links, font size and color so that consumers cannot miss opting-out of the sale of their data. Both the business and consumer sides of the debate asked the AG for a simple resolution to the difficult issue of providing consumers with clear and explicit information, in a way that is easy to both understand and effect consumer choice.
Discrimination, or Financial Incentives Offerings
Numerous comments focused on one of the most confusing and highly contested provisions in the CCPA, §1798.125, which prohibits businesses from discriminating against consumers but also allows businesses to offer financial incentives in exchange for the collection, sale or deletion of their PI. Consumer activists are concerned that allowing businesses to charge for privacy protections will inherently cause discrimination against low-income consumers. However, businesses have built innovative business models on collecting information in exchange for their services and argue that ad publishers should be allowed to charge reasonable subscription fees where a consumer opts out of participation in the ad based business model which otherwise finances a free Internet. Commentators asked the AG to be flexible in its approach, and to provide guidance on what would be considered "discriminatory" under CCPA.
Many businesses are concerned with the difficulty of verifying consumer requests and excessive requests which abuse legitimate processes in place for consumers to exercise rights. After enactment of GDPR, some companies have been buried in data subject requests that are illegitimate requests not to exercise rights but to abuse the processes put in place to comply with the regulation. Many businesses are asking the AG to consider this very real possibility and asking that the verification process be flexible, and based on the quality and quantity of data collected. For example, when a business has many kinds of data about an individual, authentication becomes easier. However, when a company only has an IP address, authentication is currently much more difficult. The AG should provide best practices and written guidelines to outline a verification process that does not require the collection of more consumer information in order to properly verify a user.
Exceptions to CCPA
There are various exceptions to the CCPA, and a majority of public comments asked for clarification as to what extent the enumerated exceptions apply. For example, the CCPA exempts medical information governed by the Confidentiality of Medical Information Act, protected health information pursuant to the Health Insurance Portability and Accountability Act, and PI collected pursuant to Gramm-Leach Bliley Act. Commenters want the AG regulations to provide guidance on the scope of those exemptions, and how compliance with other laws (or their Safe Harbor programs) will affect CCPA enforcement. Other comments highlighted an alphabet soup of additional federal and state privacy statutes to be considered for exemption, such as COPPA, SOPIPA, FERPA and California's "Shine the Light" law.
Finally, commentators noted an area of major concern that was not on the list categories for comment – the threshold for a "business" within the scope of CCPA. Currently the regulation applies to for-profit entities, doing business in California with any of the following: (1) gross annual revenue of more than $25 million; (2) buy, receive, sell or share for commercial purposes the PI of at least 50,000 consumers; or (3) at least 50% of annual revenue is from the sale of consumer PI.2 But commentators asked the AG to define "doing business," and raised concern that small businesses that will have to exert significant expense to comply with consumer requests. Many noted that CCPA will not hurt the big search engines and social media platforms that have become household names, but could crush the start-ups and emerging businesses struggling to comply with burdensome state regulation.
Overall, the public forum made clear that the CCPA requirements and application are very far from settled. The AG invites continued public comment, and is expected to release draft regulations in fall 2019. From the number of open questions, it seems that a many businesses will be scrambling to implement those regulations even as the law goes into effect January 1, 2020.
1 The seven categories are available at https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-public-forum-ppt.pdf?.
2 CA Civ. Code §1798.140(c).
This post first appeared in Frankfurt Kurnit's Focus on the Data blog (www.focusonthedata.com). It provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.