May 8, 2019
When the California Consumer Privacy Act passed, it did so quickly and without as much review as many legislators had hoped to give it. As a result, language specifically tasking the California Attorney General with holding public forums and issuing rules regarding the interpretation and implementation of the CCPA was included in the law.
Specifically, section 1798.185 directs the Attorney General to “solicit broad public participation and adopt regulations to further the purposes” of the act. In response to this directive, the California Attorney General and California Department of Justice hosted a series of CCPA public forums on the following topics:
- categories of personal information;
- definition of unique identifiers;
- exceptions to the CCPA;
- submitting and complying with requests;
- uniform opt-out logo/button;
- notices and information to consumers, including financial incentive offerings; and
- verification of consumer requests.
While some members of the public shared unique suggestions and concerns, many comments by both business and consumer advocates were brought up repeatedly at the meetings. Some of these concerns are reflected in amendments that have already been introduced in the legislature, and we anticipate that the Attorney General will also take them into account.
Below is a brief exploration of the concerns brought forward at the San Francisco, San Diego, Riverside, and Los Angeles Forums. (See the Public Forum Part II piece for a synopsis of the Sacramento, Fresno, and Stanford Forums.)
January 8 Forum – San Francisco
Business and trade association representatives expressed concerns that businesses may need to collect more personal information than they would otherwise so that they will later be able to verify access requests. For example, a company that does not collect email addresses will need to collect them to communicate with consumers to verify and respond to requests.
Many speakers were concerned about the CCPA’s broad definition of personal information. Under the statute, IP addresses qualify as personal information, but many IP addresses can actually be associated with multiple individuals.
Business advocates expressed concern that the CCPA, which was written with the intent of protecting individuals in their capacity as consumers, can be applied much more broadly, making employee and human resources information susceptible to the CCPA.
Business advocates were also concerned about the lack of clarity on compliance timing–the statute does not state whether businesses that do not initially fall under the CCPA must comply immediately when they hit the $25 million revenue or 50,000 consumers mark or will be granted a phase-in window.
Speakers sought clarification of the cure provision, specifically asking the extent to which a cure can remedy security breaches retroactively. Other speakers also addressed security, asking the Attorney General to consider creating safe harbor provisions for companies that are already compliant with Europe’s Global Data Protection Regulation (GDPR) or are in the process of implementing a security plan.
On the consumer side, concerns were expressed that the CCPA might impact low income consumers by offering different prices, goods, or levels of service to individuals who opt out of the sale of personal information.
January 14 Forum – San Diego
The San Diego Forum was mainly attended by business and industry representatives. The majority of the meeting centered on the scope of definitions in the CCPA.
The scope of the definition of “personal information” once again garnered multiple comments. Concerns centered around broad terminology such as household (does it include adult children or roommates?) and “capable of being associated with,” which commenters suggested made the definition so broad as to be unclear and potentially unenforceable.
It was again suggested that the statute be either amended or interpreted so as to ensure that the definition of consumer does not include employees and employment information.
Several cybersecurity representatives suggested that the Attorney General should consider matching the definitions in the CCPA to the definitions in the National Institute of Standards and Technology (NIST). One speaker specifically mentioned concerns that differences in definitions between the CCPA and NIST standards could result in an unclear standard of liability that would impact insurance carriers and their ability to assess and insure against certain business risks. Others suggested adopting the same definitions as those used in the GDPR in order to facilitate building uniform privacy programs for corporations functioning under both regimes.
Speakers also sought clarification on how the CCPA’s nondiscrimination provision impacts loyalty programs, something that had been raised in the previous forum.
Speakers again requested Attorney General guidance on how to verify consumer requests. It was suggested that the Attorney General could create an approved verification form.
Consumer advocates urged the Attorney General to interpret the CCPA broadly since the private right of action is limited to security breaches.
A commenter suggested that, to balance consumer and business needs, those businesses without a cybersecurity plan could be presumed liable for security breach events while those with a cybersecurity plan in place could use that plan as an affirmative defense to liability.
January 24 & 25 Forums –
Riverside and Los Angeles
(Combined because only four comments were made at Riverside)
Consumer advocates requested that IP addresses and fingerprints be explicitly included in the definition of identifying information. Industry advocate comments at this and other meetings made it clear that they do not want IP addresses to be included.
Consumer advocates also suggested that opt-out options and required disclosures should only require one or two clicks to complete and that the opt out logo should appear on every webpage, not only a company’s homepage. Industry advocates asked that the opt out logo requirement be limited to the homepage.
Industry advocates requested clarification on the meaning of the exemptions in the CCPA. The CCPA exempts personal information already protected by HIPPA, GLBA, COPPA, California’s Shine the Light Law, and FERPA. However, it is unclear how that language comes into play for organizations that collect information that may be protected under those laws as well as information that may not.
Consumer advocates expressed concern that low income consumers would be disproportionately impacted by charging fees in lieu of sharing data; conversely, business advocates expressed the need for clarification regarding how the Attorney General will determine whether the fees charged are reasonable.
Commenters representing small businesses noted that they will suffer a disparate impact as they struggle to comply with limited resources. Some suggested that enforcement should focus first on larger companies that are in the personal data business.
Businesses also sought clarification on how data security measures would be evaluated to determine whether they fulfilled CCPA requirements.
Speakers requested clarity on the definitions of sale and household. Business advocates also wanted to know whether recorded phone calls (such as those commonly used by customer service centers) would be included in the definition of personal information.
Other comments asked the Attorney General to:
- Develop a uniform “Do Not Sell My Information” log similar to the one used in the AdChoices program opt-out;
- Give guidance on what type of records businesses need to keep to show CCPA compliance in the event of an enforcement action;
- Give guidance on how consumer request verification can occur when the business has only limited information about the consumer;
- Exempt employee data and create safe harbor provisions for those in the process of becoming compliant.
See the Public Forum Part II piece for a synopsis of the Sacramento, Fresno, and Stanford Forums.
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.