The California Attorney General (AG) held its final public forum on the California Consumer Privacy Act (CCPA) in Stanford on March 5, 2019. The Stanford forum was well attended, with over 100 people in the audience, and it featured 22 individuals speaking for two and a half hours. The following provides an overview of the Stanford forum and comments made at the forum. You can also read our reports on previous forums here.
AG’s Opening Remarks
Lisa Kim, Deputy Attorney General for the AG’s Privacy Unit, opened the forum, and, as in prior forums, directed speakers to focus comments on those areas of the Act that call for specific AG rules, set for on the AG’s presentation slides (available here). Ms. Kim noted that March 8, 2019 was the last day to submit written comments and proposed regulatory language during this pre-rulemaking phase. As for the timing for publishing proposed rules, Ms. Kim stated that the AG was targeting “early” Fall 2019. After the proposed rules are published, there will be a period for public comment and additional public hearings, which will be webcast live and videotaped.
Participants at the Forum
Twenty-two individuals provided comments at the forum, with comments equally divided between business/industry representatives and consumer advocates/private citizens. This was an interesting contrast to previous forums, in which the majority of comments came from business and industry representatives.
Business and industry representatives focused on the following issues:
- Importance of rulemaking. Many speakers noted the lack of clarity in the CCPA and emphasized the need for wide-ranging, substantive, and “bold” rulemaking by the AG’s office.
- Removing IP addresses/device IDs from the definition of Personal Information. As in previous forums, several speakers suggested that the definition of personal information should not include IP addresses/device IDs because businesses could not verify a unique individual based on IP address/device ID alone without collecting or receiving other personal information or being required to “re-link” information that had previously been unlinked (or never linked) to protect privacy.
- Ad tech industry-related. A number of speakers representing the ad tech industry expressed concern that the CCPA was not drafted with the ad tech industry in mind. As a result, the speakers noted that ad tech companies are struggling to determine how to comply with the CCPA because many requirements (such as providing opt-out rights and giving notice prior to collection of personal information) seem almost impossible for ad tech companies to fulfill, given that they generally have no direct relationship with the end-customer.
- Service provider obligations under CCPA. On a similar note, other representatives of B2B companies (but outside the ad tech space) commented on the lack of a clear distinction in the CCPA between “data controllers” and “data processors.” These speakers requested clarification of which CCPA obligations applied to companies acting as service providers who do not have direct relationships with end-customers.
- Safe harbor. As in previous forums, multiple speakers urged the AG to establish safe harbor provisions, such as for companies that are in compliance with other privacy laws (e.g., GDPR, GLBA, and HIPAA).
- Extending deadlines for compliance and enforcement. Some individuals expressed the hope that the AG would extend deadlines for compliance and enforcement, given the fundamental ambiguities in the CCPA and the fact that rulemaking deadlines have been extended.
Consumer advocates focused on the following issues:
- Expanding CCPA enforcement powers. Several speakers requested that the AG consider expanding the ability to enforce the CCPA to other law enforcement officials, such as district attorneys and other local-level law enforcement officials.
- Protecting vulnerable groups. Several speakers commented on the importance of considering the special needs and rights of vulnerable or protected groups, such as children, seniors, and persons with disabilities, when undertaking CCPA rulemaking. These speakers were particularly concerned that rulemaking might undermine existing protections for children in the CCPA.
- Anti-discrimination. A number of individuals commented on the need to shore up the anti-discrimination provisions in the CCPA to ensure that consumers are not charged money to protect their privacy or are otherwise penalized for exercising their rights under CCPA.
Business AND consumer advocates alike focused on the following issues:
- Verification of consumer requests. Multiple speakers’ comments focused on verification of consumer requests, including the need for clear verification guidelines. Business representatives and consumer advocates alike voiced concern over the potential amount of information businesses might have to collect from consumers to fulfill access requests. Two consumer advocates proposed implementing different standards for verifying requests, depending on the type of request being made: a higher standard for providing a consumer with specific pieces of personal information, and a lower standard for providing a consumer with basic disclosures regarding the categories of personal information collected, disclosed, and sold.
- Remove “household” from the definition of Personal Information. Two speakers — one from industry and one consumer advocate — urged the AG to clarify or exclude information related to a particular “household” from the definition of personal information. The industry speaker asked the AG to consider a rule that requires businesses to provide access to household data only where the data is collected at the household level (e.g., records of utility usage). The speaker emphasized that a business should not be forced to provide data regarding one household member’s use of an individual device to another household member because this raises privacy and security concerns.