In anticipation of preparing rules to implement the California Consumer Privacy Act, the California Attorney General recently announced six public forums that he will host in January and February 2019 across California. On January 8, 2019, the AG hosted the first of these forums in San Francisco. The following provides an overview of the forum and the comments made at the forum.
Overview of the January 8, 2019, San Francisco Forum
Stacey Schesser, the Supervising Deputy Attorney General for the AG’s Privacy Unit, provided opening remarks. Ms. Schesser confirmed that the AG’s office is at the very beginning of its rulemaking process. Although the AG’s office will solicit formal comments after it prepares proposed rules, the AG is interested in receiving detailed written comments from the public with proposed language during this informal period.
These forums appear to be designed to inform the AG’s rulemaking and potentially streamline the process, by allowing public input before rules are drafted. In this regard, Ms. Schesser clarified that she and other AG representatives in attendance at the San Francisco forum were there only to listen to the public comments and would not respond to questions or engage with speakers. As a result, if the remaining forums follow a similar approach, it is unlikely that the forums will elicit meaningful intelligence regarding the AG’s anticipated approach to, or the substance of, the anticipated rulemaking.
Also of note, at the outset of the forum, Ms. Schesser encouraged speakers to focus their oral and written comments on the specific rules that the Act directs the AG to issue:
(1) Categories of Personal Information (PI);
(2) Definition of Unique Identifiers;
(3) Exceptions to the Act;
(4) Submitting and Complying with Requirements;
(5) Uniform Opt-Out Logo/Button;
(6) Notices and Information to Consumers; and
(7) Verification of a Consumer’s Request.
It is not clear whether the AG’s encouraged focus for the public comments reflects the fact that the AG intends to limit rulemaking, at least initially, to only those issues where rules are directed by the Act, as opposed to rules under the AG’s general implementing authority.
Comments Made at the Forum
While the forum was well attended and a significant number of individuals pre-registered to speak, only 14 individuals made comments. Business and trade association representatives (including those from the California Chamber of Commerce, the Network Advertising Initiative, and the California Retailers Association) made ten comments while consumer advocates made four. Each speaker was given five minutes to speak.
Business representatives provided the following noteworthy comments regarding the AG’s rulemaking:
- Responding to access requests. Multiple speakers expressed concern that businesses may need to collect more PI than they otherwise would to verify access requests. Speakers urged the AG to clarify how access requests apply to businesses that do not collect identifying information (or to except such businesses from responding to requests) and to confirm that businesses need not collect additional information or re-identify individuals in order to respond to an access request.
- Clarifying key definitions. Multiple speakers asked the AG to clarify various definitions or phrases, including:
- “Business.” The California Chamber of Commerce (CalChamber) expressed concern about the breadth of covered businesses, noting that any business with a website would likely collect PI related to 50,000 or more consumers, households, or devices. Another speaker requested clarification as to whether the $25 million gross revenue threshold will apply to global revenue or only California-derived revenue and asked the AG to consider a “ramp-up” period for compliance for businesses that previously fell below the revenue threshold but later met the requirement.
- “Personal information.” One speaker suggested that the definition of PI should not include IP addresses because businesses could not identify a unique individual or identify individuals over time. Another speaker urged the AG to clarify or exclude information related to a particular “household” from the definition of PI.
- “Specific pieces of PI.” Relevant to the Act’s access obligation, the CalChamber asked the AG to clarify what “specific pieces of information” means and to consider privacy and security issues raised by providing information in response to access requests.
- “Consumer.” One speaker asked the AG to clarify whether the definition of “consumer” applies to employee and human resource data, noting that, while “consumer” means “California resident,” the legislative history suggests lawmakers were primarily concerned about customer rather than employee privacy.
- “Sale.” The Network Advertising Initiative asked the AG to clarify the definition of “sale” and to confirm that interest-based advertising does not constitute a “sale” of PI under the Act.
- Safe harbor provisions. Several speakers urged the AG to establish safe harbor provisions, such as a safe harbor for GDPR compliance or for businesses that use AG‑prescribed notices.
- Non-discrimination requirements. Multiple speakers urged the AG to clarify the Act’s non-discrimination provision, and the California Retailers Association specifically requested clarification on how the provision impacts loyalty programs.
In addition, consumer advocates requested that the AG consider rulemaking on the following:
- Categories of personal information. One speaker urged the AG not to limit the definition of PI and to confirm that the definition includes paper documents. Another individual asked the AG to confirm that businesses must include the inferences they draw about consumers in the list of “specific pieces” of PI provided in response to access requests and clarify how businesses should share inferences with consumers.
- Non-discrimination provision. One speaker asked the AG to confirm that businesses cannot charge consumers for exercising opt-out rights, as doing so would disparately impact low-income consumers.
Dates and Locations of Upcoming Public Forums
The AG will hold five more forums, and information on the time and location can be found on the AG’s website:
- San Diego, Monday, January 14, 2019;
- Inland Empire/Riverside, Thursday, January 24, 2019;
- Los Angeles, Friday, January 25, 2019;
- Sacramento, Tuesday, February 5, 2019; and
- Fresno, Wednesday, February 13, 2019.
The AG encourages those who wish to speak to pre-register here. Individuals can also submit written comments by email to [email protected] or by mail to California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013. Individuals can subscribe to the AG’s mailing list to receive notifications on CCPA rulemaking here.
We will continue to provide periodic updates on the forums, the AG’s rulemaking process, and other relevant CCPA developments. Stay tuned.