On Friday, January 25, 2019, California Attorney General Xavier Becerra’s Office held the fourth of its six public forums in connection with its rulemaking process for the California Consumer Privacy Act (“CCPA”). The purpose of the open forum, which was held in Los Angeles at the Ronald Reagan State Building, was to provide an initial opportunity for the public to participate in the CCPA rulemaking process. The formal rulemaking process is scheduled to begin later this year.
As noted in a prior Firewall blog post, the recently-enacted CCPA grants California consumers the right to know what information companies collect about them, the right to “opt out” from allowing companies to sell their personal information, the right to demand that companies delete collected information, and the right to receive equal service even if consumers exercise their “opt out” right. As required by the CCPA, the Attorney General must adopt its regulations on or before July 1, 2020. Businesses, however, must comply with the CCPA even before then, starting on January 1, 2020.
Numerous members of the public voiced their concerns at the hearing about their own experiences with personal privacy and their expectations of the new law. Consumer advocates, business owners, industry groups, and several law firms also attended and spoke. The Attorney General’s Office staff did not participate in the discussion, explaining their role at this stage is to collect comments and analyze them before the formal rulemaking begins.
The comments of the January 25, 2019 open forum ranged from general praise to requests for clarification to very specific suggestions on how to implement various aspects of the law. Some of the notable comments included:
- The CCPA requires companies to provide consumers with records from the 12-month period before the request. Several commenters asked the Attorney General’s Office to confirm whether the 12-month period will mean companies will need to provide 2019 records in response to requests made in 2020. Several commenters also asked for clarification on the specific types of records that companies will need to maintain.
- A “sale” of personal information under the CCPA includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Several commenters representing businesses asked for further clarification on whether various types of transfers of information would be considered a “sale” under the CCPA. One interesting example was whether a financial company that sells a loan portfolio is separately “selling” the personal information that the portfolio contains.
- Law firm participants asked the Attorney General’s Office to better define the threshold revenue below which a company will not need to comply with the CCPA (whether it includes in-state, U.S.-based, or all revenue, including international), what the term “household” was intended to capture, and more generally how a company’s compliance with the GDPR will relate to its compliance with the CCPA.
- Several commenters asked whether any “opt-out” will need to be immediate and absolute, or whether a company will be permitted to start any form of dialogue with consumers who request to “opt-out.”
- Several commenters asked for clarification whether certain types of records that the CCPA was not intended to cover—including records collected and maintained under HIPAA and the GLBA—will be fully exempted and how.
- Consumer advocates urged the Attorney General’s Office to make sure that all “opt-out” rights are clear, both in terms of placement and font size, and that regulations be as broad as possible as to information covered under the CCPA.
Friday’s open forum echoes comments from the earlier open forums, which also highlighted concerns regarding:
- The breadth of what “business” means under CCPA, noting that many small to medium-size businesses with a website may likely collect personal information related to 50,000 or more consumers, households, or devices.
- The broadness of what is “personal information,” which includes an IP address. Some speakers suggested to include IP addresses, and others to narrow the scope to specifically not include IP addresses.
- The applicability of the term “consumer” to employee and human resource data, noting that such expansion may not be in line with the legislative history where lawmakers were looking to protect customer privacy rather than employee data.
It is clear from the public comments that there are strongly divergent opinions and interests at play. Consumers and consumer advocates are voicing their support for European-type privacy laws whereas industry groups and their representatives are urging for a more restrained and practical approach to dealing with consumer privacy concerns. We will continue to monitor how these comments will inform the rule making process. The next open forum will be in Sacramento on February 5, 2019.