June 14, 2019
When the California Consumer Privacy Act passed, it did so quickly and without as much review as many legislators had hoped to give it. As a result, language specifically tasking the California Attorney General with holding public forums and issuing rules regarding the interpretation and implementation of the CCPA was included in the law.
Specifically, section 1798.185 directs the Attorney General to “solicit broad public participation and adopt regulations to further the purposes” of the act. In response to this directive, the California Attorney General and California Department of Justice hosted a series of CCPA public forums on the following topics:
- categories of personal information;
- definition of unique identifiers;
- exceptions to the CCPA;
- submitting and complying with requests;
- uniform opt-out logo/button;
- notices and information to consumers, including financial incentive offerings; and
- verification of consumer requests.
While some members of the public shared unique suggestions and concerns, many comments by both business and consumer advocates were brought up repeatedly at the meetings. Some of these concerns are reflected in amendments that have already been introduced in the legislature, and we anticipate that the Attorney General will also take them into account.
Below is a brief exploration of the concerns brought forward at the Sacramento, Fresno, and Stanford Forums. (See our Public Forum Part I piece for a synopsis of the San Francisco, San Diego, Riverside, and Los Angeles Forums.)
February 5 Forum – Sacramento
Although the majority of comments came from industry representatives, consumer advocates expressed the following concerns:
- that offering financial incentives and exceptions to the nondiscrimination requirement would create a “pay-for-privacy” regime that would have a disparate impact on low-income consumers;
- that privacy notices under the CCPA need to be clear and user-friendly; and
- that allowing flexible opt-out options (as some business advocates have requested) could negate the goals of the CCPA.
As in other meetings, commenters also requested clarification of:
- the definition of household (concerns were expressed that abusers could potentially gain access to personal information that would enable them to track their spouses or other household members);
- the definition of consumer for business-to-business and affiliate-to-affiliate relationships;
- the definition of sale to clarify what qualifies as valuable consideration;
- appropriate procedures companies should use to verify consumer requests; and
- how business-to-business (i.e., nonconsumer-facing) companies should comply with the explicit notice to consumers requirement.
It was suggested that the Attorney General should create a safe harbor for companies that provide personal information to the wrong person if that company has followed appropriate verification procedures.
Some speakers requested that the Attorney General allow for a flexible version of opt-out and deletion rights instead of an all or nothing version (which some consumer advocates advised against, see above).
Businesses also requested that the Attorney General allow them to charge a reasonable fee to consumers who opt out of sales or choose to delete data.
Some industry-specific concerns were also raised. Educators shared misgivings that the CCPA, as currently written, seems to allow students to request that their grades be deleted. Others commented that the exceptions for GLBA, HIPAA, and CMIA compliant organizations are unclear.
February 13 Forum – Fresno
Although it got off to a slow start due to travel delays for some of the government representatives, the Fresno forum received multiple substantive suggestions and inquiries from both industry and consumer representatives.
Industry representatives suggested removing “probabilistic” from the definition of unique identifiers due to the burden associated with determining and disclosing that information when they are not already using any of the information to determine probabilistic identifiers.
Industry representatives continue to request that employee data be exempt from the CCPA. Similarly, they would like business-to-business lists that incidentally include people who are consumers in other contexts to be exempted because they are on the lists because of their connection with a business and information shared by them for a business purpose.
Safe harbors and exemptions continued to be raised by industry representatives. At this meeting, they specifically suggested that any business that meets Privacy Shield and/or GDPR obligations should be exempted from the CCPA. They also suggested creating incentives, similar to what is done in the GDOR, for the pseudonymization of data.
Industry representatives also requested that the Attorney General specify a defined period of time that businesses will have to become compliant after reaching the $25 million revenue mark.
For businesses that only gather data online, a commenter suggested that they be allowed to offer opt-out options online only instead of having to also operate a toll free number.
As with the other forums, clarifications were again sought for the meaning of “capable of being associated with” and “household,” and flexible options for opting out (the ability for a company to offer consumers choices about which data sharing to opt out of instead of an all or nothing approach) were requested.
March 5 Forum – Stanford
Stanford, the last public forum, was also the first one at which the consumer and industry representatives made an equal number of comments.
Business advocates pointed out the differences with GDPR, seeking clarification on the differences between data controllers and data processors. They particularly requested clarity for situations in which a business has no direct relationship with the consumer.
Industry representatives once again requested that Attorney General remove IP addresses and device IDs from the CCPA’s definition of personal information. They also again requested safe harbors for companies in compliance with the GDPR or industry-specific privacy regulations.
On the other side of the equation, consumer advocates focused on enforcement issues, suggesting that giving enforcement power to local district attorney offices and law enforcement would enable the CCPA to provide the protection it is supposed to offer California consumers.
Consumer advocates once again raised concerns that the CCPA’s anti-discrimination language is not strong enough and puts economically disadvantaged groups at risk of losing privacy rights in a pay-for-privacy regime.
The third party request option (whereby consumers can authorize someone else to make data requests for them) was of particular concern in terms of how companies should verify the legitimacy of those requests.
Other concerns regarding verification came from business and consumer groups alike, suggesting that businesses may ultimately start collecting more information than they currently do in order to implement a robust verification process. Consumer advocates suggested creating two different standards of verification: a lower standard for requests regarding categories of information collected and a higher standard for requests regarding specific pieces of personal information.
Consumer and business advocates alike continued to express concern that household has been included in the definition of personal information. Requiring businesses to disclose information about one household member to another raises privacy and security concerns.
Each forum provided a combination of unique comments and common concerns. Common concerns included the definitions of consumer, personal information, household, sale, and devices. Business representatives showed a strong desire for an exemption for employee information, safe harbors for companies already complying with the GDPR or another data privacy regulation (HIPPA, GLBA, COPPA, etc.), and clarity on how verification processes will be assessed. Consumer advocates expressed strong concern that the CCPA may allow a pay-for-privacy regime to grow, that vulnerable groups like children and seniors are not protected well enough, and that enforcement will not be strong enough.
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.