June 14, 2019
When the California Consumer Privacy Act passed, it did so quickly and without as much review as many legislators had hoped to give it. As a result, language specifically tasking the California Attorney General with holding public forums and issuing rules regarding the interpretation and implementation of the CCPA was included in the law.
Specifically, section 1798.185 directs the Attorney General to “solicit broad public participation and adopt regulations to further the purposes” of the act. In response to this directive, the California Attorney General and California Department of Justice hosted a series of CCPA public forums on the following topics:
- categories of personal information;
- definition of unique identifiers;
- exceptions to the CCPA;
- submitting and complying with requests;
- uniform opt-out logo/button;
- notices and information to consumers, including financial incentive offerings; and
- verification of consumer requests.
While some members of the public shared unique suggestions and concerns, many comments by both business and consumer advocates were brought up repeatedly at the meetings. Some of these concerns are reflected in amendments that have already been introduced in the legislature, and we anticipate that the Attorney General will also take them into account.
Below is a brief exploration of the concerns brought forward at the Sacramento, Fresno, and Stanford Forums. (See our Public Forum Part I piece for a synopsis of the San Francisco, San Diego, Riverside, and Los Angeles Forums.)
February 5 Forum – Sacramento
Although the majority of comments came from industry representatives, consumer advocates expressed the following concerns:
- that offering financial incentives and exceptions to the nondiscrimination requirement would create a “pay-for-privacy” regime that would have a disparate impact on low-income consumers;
- that privacy notices under the CCPA need to be clear and user-friendly; and
- that allowing flexible opt-out options (as some business advocates have requested) could negate the goals of the CCPA.
As in other meetings, commenters also requested clarification of:
- the definition of household (concerns were expressed that abusers could potentially gain access to personal information that would enable them to track their spouses or other household members);
- the definition of consumer for business-to-business and affiliate-to-affiliate relationships;
- the definition of sale to clarify what qualifies as valuable consideration;
- appropriate procedures companies should use to verify consumer requests; and
- how business-to-business (i.e., nonconsumer-facing) companies should comply with the explicit notice to consumers requirement.
It was suggested that the Attorney General should create a safe harbor for companies that provide personal information to the wrong person if that company has followed appropriate verification procedures.
Some speakers requested that the Attorney General allow for a flexible version of opt-out and deletion rights instead of an all or nothing version (which some consumer advocates advised against, see above).
Businesses also requested that the Attorney General allow them to charge a reasonable fee to consumers who opt out of sales or choose to delete data.
Some industry-specific concerns were also raised. Educators shared misgivings that the CCPA, as currently written, seems to allow students to request that their grades be deleted. Others commented that the exceptions for GLBA, HIPAA, and CMIA compliant organizations are unclear.
February 13 Forum – Fresno
Although it got off to a slow start due to travel delays for some of the government representatives, the Fresno forum received multiple substantive suggestions and inquiries from both industry and consumer representatives.
Industry representatives suggested removing “probabilistic” from the definition of unique identifiers due to the burden associated with determining and disclosing that information when they are not already using any of the information to determine probabilistic identifiers.
Industry representatives continue to request that employee data be exempt from the CCPA. Similarly, they would like business-to-business lists that incidentally include people who are consumers in other contexts to be exempted because they are on the lists because of their connection with a business and information shared by them for a business purpose.
Safe harbors and exemptions continued to be raised by industry representatives. At this meeting, they specifically suggested that any business that meets Privacy Shield and/or GDPR obligations should be exempted from the CCPA. They also suggested creating incentives, similar to what is done in the GDOR, for the pseudonymization of data.
Industry representatives also requested that the Attorney General specify a defined period of time that businesses will have to become compliant after reaching the $25 million revenue mark.
For businesses that only gather data online, a commenter suggested that they be allowed to offer opt-out options online only instead of having to also operate a toll free number.
As with the other forums, clarifications were again sought for the meaning of “capable of being associated with” and “household,” and flexible options for opting out (the ability for a company to offer consumers choices about which data sharing to opt out of instead of an all or nothing approach) were requested.
March 5 Forum – Stanford
Stanford, the last public forum, was also the first one at which the consumer and industry representatives made an equal number of comments.
Business advocates pointed out the differences with GDPR, seeking clarification on the differences between data controllers and data processors. They particularly requested clarity for situations in which a business has no direct relationship with the consumer.
Industry representatives once again requested that Attorney General remove IP addresses and device IDs from the CCPA’s definition of personal information. They also again requested safe harbors for companies in compliance with the GDPR or industry-specific privacy regulations.
On the other side of the equation, consumer advocates focused on enforcement issues, suggesting that giving enforcement power to local district attorney offices and law enforcement would enable the CCPA to provide the protection it is supposed to offer California consumers.
Consumer advocates once again raised concerns that the CCPA’s anti-discrimination language is not strong enough and puts economically disadvantaged groups at risk of losing privacy rights in a pay-for-privacy regime.
The third party request option (whereby consumers can authorize someone else to make data requests for them) was of particular concern in terms of how companies should verify the legitimacy of those requests.
Other concerns regarding verification came from business and consumer groups alike, suggesting that businesses may ultimately start collecting more information than they currently do in order to implement a robust verification process. Consumer advocates suggested creating two different standards of verification: a lower standard for requests regarding categories of information collected and a higher standard for requests regarding specific pieces of personal information.
Consumer and business advocates alike continued to express concern that household has been included in the definition of personal information. Requiring businesses to disclose information about one household member to another raises privacy and security concerns.
Summary
Each forum provided a combination of unique comments and common concerns. Common concerns included the definitions of consumer, personal information, household, sale, and devices. Business representatives showed a strong desire for an exemption for employee information, safe harbors for companies already complying with the GDPR or another data privacy regulation (HIPPA, GLBA, COPPA, etc.), and clarity on how verification processes will be assessed. Consumer advocates expressed strong concern that the CCPA may allow a pay-for-privacy regime to grow, that vulnerable groups like children and seniors are not protected well enough, and that enforcement will not be strong enough.
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth
About The Author: Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income.
Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as General Counsel allows her to field-test SixFifty’s products to ensure they’ll work for customers.
Education and Experience
Marie attended Brigham Young University, and spent most of her undergrad studying International Politics and Development. It was during a field study in South Africa that she first decided to become a lawyer. As she researched the new South African constitution and worked with community organizers, Marie became fascinated with the development of the rule of law and how it in turn fosters economic development.
After undergrad, she attended BYU Law, where she continued focusing on improving equity, specifically through access to justice. She spent time interning with a nonprofit at the Human Rights Council in Geneva and with the United Nations International Tribunal for the Rwandan Genocide. At home, she interned with Catholic Charities, focusing on supporting asylum cases. Marie’s work with communities and governments across the globe broadened her understanding of how the law can either uplift or further harm underserved populations.
After law school, Marie worked as a judicial law clerk for the US Fifth Circuit Court of Appeals. She then practiced commercial litigation in Salt Lake City before returning to BYU Law, where she became an Assistant Dean. During her time at BYU Law, Marie built a diversity recruiting program and a storytelling program. Although she has left academia, she continues to keep a hand in by teaching a legal design class at BYU Law School and an undergraduate international politics class that focuses on development and diplomacy at BYU’s Kennedy Center. Both courses help students increase their community engagement and use their skills to create change.
Achievements with SixFifty
Marie’s work with both SixFifty and LawX focuses on making the law less complicated and
more equitable for both companies and individuals.
Marie’s legal specialty is privacy. She has additional focus areas in legal technology; diversity, equity and inclusion; employment; and compliance. She enjoys the opportunity to build products with the legal product team, including pro bono products. This allows her to work with communities she cares about – and complements the work she continues to do at BYU.
With Marie’s guidance and experience, SixFifty is able to offer privacy products that allow even small companies to easily comply with global privacy restrictions. Her passion for making the law accessible to everyone is evident in our pro bono products, which help individuals access free legal help for common issues.
Get to Know Marie
When she’s not helping to advance SixFifty’s mission, Marie travels whenever she can. Keep your eyes open and you may find her anywhere in the world – one of her favorite trips was a seven-day motorbike tour of northern Thailand. She especially loves to canyoneer in southern Utah and explore wilderness areas.
Marie also continues her community development and education work. She is on the board of several nonprofits, including one that runs primary schools in South Sudan and the Utah Tribal Relief Foundation. She recently joined the board of the Mountainland Association of Governments, which focuses on making loans to entrepreneurs from underserved communities who lack access to traditional funding. She’s also a Model UN legend! She is the Executive Director of BYUMUN, Utah’s premier high school Model United Nations learning conference.
Marie loves podcasts and will nerd out on anything related to the law, the history of the English language, and anything done by the people at Radiolab.
Bar Licensed
Utah
More posts by Marie Kulbeth