As we noted previously, the California Attorney General is holding a series of public forums on the California Consumer Privacy Act (CCPA) to provide the public with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020. On Friday, January 25, 2019, the Attorney General’s Office held its fourth of six hearings before a full auditorium in Los Angeles. This blog post summarizes the main themes discussed at the hearing.
Timing/Scope: For businesses hoping for CCPA clarity and guidance soon, that seems unlikely. California Deputy Attorney General Lisa Kim initiated the hearing, emphasizing that the Attorney General’s Office was in the beginning of its rulemaking process and noting that she anticipated the formal review process not to start until Fall 2019. For now, the Attorney General’s Office encouraged interested parties to submit comments by the end of February, focusing on subjects within the scope of the Attorney General’s rulemaking responsibilities, as set forth in the CCPA, including:
- Categories of Personal Information
- Definition of Unique Identifiers
- CCPA Exemptions
- Submitting and Complying with Consumer Requests
- Uniform Opt-Out Logo/Button
- Notices and Information to Consumers, including Financial Incentive Offerings
- Certification of Consumers’ Requests
During the hearing, the Attorney General’s Office displayed this PowerPoint deck, summarizing the CCPA regulatory process.
1. What’s in Scope?
Many attendees asked the Attorney General’s Office to clarify key defined terms, such as what:
- “Business” entities are covered by the law, including what it means to “do business” in California, how the threshold criteria should be applied, and interpretations of the exemptions (is entire business exempted, or are only the particular business practices subject to the exemption).
- “Personal Information” covers, given the broad definition of the term. Specifically, would IP addresses, proprietary unique identifiers, or general household data alone trigger the law because they are “related” to a person, or are further context or identifiers necessary to render the information personal?
Some attendees also urged the Attorney General to communicate with the legislature, to the extent not possible to do so by regulatory clarifications, to encourage different treatment of categories of “Personal Information.” Attendees suggested that the more onerous obligations in the CCPA should apply to more sensitive information, so that the CCPA incentivizes data minimization and pseudonymization, which promote consumer privacy.
2. What Do I Need to Retain and Starting When?
Several attendees asked the Attorney General’s Office to provide clarification as to whether companies are obligated to retain records in the time leading up to the CCPA’s effective and enforcement dates, as well as what records companies must retain to demonstrate their compliance with consumer deletion requests.
3. Opt-Out Options / “Do Not Sell My Info” Link
Attendees urged the Attorney General’s Office to consider supporting a universal opt-out icon, similar to the ad choices opt–out icon for interest-based advertising, noting possible consumer confusion and additional compliance costs associated with the lack of a common method. Attendees also suggested that the Attorney General consider the former EU Working Party 29’s guidance on the benefits of using a standardized icon to increase consumer transparency.
Some participants also expressed concern as to whether the CCPA’s mandated “Do Not Sell” link has a confusing negative connotation. Participants also urged the Attorney General to evaluate what qualifies as a “sale” of “Personal Information,” noting that the current definition could inadvertently sweep in unintended business practices involving data, scaring consumers without adequately explaining what data practices are occurring.
4. Will There Be A Safe Harbor?
On both privacy and data security, participants asked the Attorney General’s office to consider identifying certification standards and a possible safe harbor that businesses could meet (and be audited against) to demonstrate compliance with the CCPA.
5. Clarify What CCPA Treats as Discriminatory Financial Incentives
IAB’s representative urged the Attorney General’s Office to clarify that the CCPA’s nondiscrimination provisions allow a reasonable fee to be charged for an advertising-supported model, noting that small publishers rely on advertisers to support their services and to provide content. Losing the ability to charge such a fee would result in lost voices within the digital ecosystem.
6. Reasonable Limitations on the Scope of Consumer Requests About Their Data
Participants asked for clarification and reasonable limitations to consumer requests about their data, noting a viral GDPR nightmare example of a data subject request that was more akin to a full audit of the company and its practices than an individual request. Participants noted the burdens such requests would pose, particularly on small and medium sized businesses that received these types of requests.
7. Consumer Privacy Concerns
Several consumer advocacy groups and individual consumers participated in the hearing as well, urging the Attorney General to give consumers control over data collected about them rather than lightening the obligations of the CCPA through regulation. Each commented on the frequency of data breaches, noting that the CCPA puts the Attorney General in a position to incentivize companies to better safeguard their data. Some emphasized that the financial incentives and non-discrimination provisions in the CCPA are of utmost importance in helping to avoid a scenario where mid- to low-income consumers are compelled to give up their data in exchange for access to online services.