The California Attorney General’s Office has begun the rulemaking process for the California Consumer Privacy Act (CCPA), by holding public forums to allow all interested persons the opportunity to provide comments. The forums provide an important opportunity to voice concerns and provide input to the Attorney General’s Office (AGO) as it develops rules to clarify many aspects of the CCPA. The AGO has not published any proposed rules yet, but it must adopt these rules before July 1, 2020. Attorneys from Loeb & Loeb’s Privacy, Security and Data Innovations team attended the first two forums, in San Francisco and San Diego, and will be providing comments at the remaining forums and during the subsequent rulemaking process. Loeb & Loeb has been working with several industry organizations, which have also submitted comments during the process. And Loeb & Loeb attorney Allison Cohen, along with 40 other California-based privacy experts, has signed a letter urging the California legislature to make major changes to the CCPA.
Initial Report from the CCPA Forums Attendees at the first two forums commented on many aspects of the CCPA, but most comments focused primarily on the following aspects:
- Clarification of the definition of “sale” of personal information. The CCPA currently defines “sale” as any dissemination of a consumer’s personal information “to another business or third party for monetary or other valuable consideration.”
- The application of the CCPA to employee and HR data particularly when collected and used for employment and HR purposes.
- The need to align the CCPA with GDPR and other privacy regimes, given the expense and time businesses have invested in complying with such laws. While there is some overlap with GDPR, there are significant differences between the CCPA and GDPR which will require further compliance by companies.
- Clarification of the inclusion of IP Address in the definition of personal information, specifically the burden on companies that collect only IP addresses, including concerns about the need to collect personal information in order to validate and verify consumer requests.
- Clarification of the definition of “homepage”, specifically whether the Opt-Out link/button needs to be on every page of a website or just the “homepage” or a California-specific page.
- Establishing safe harbor procedures for companies that comply with GDPR and with other compliance best practices that the AGO may provide.
- Clarifying the monetary and numerical thresholds at which the CCPA applies, including when compliance requirements begin after meeting the threshold and whether the thresholds pertain only to California activities or take into account activities outside of California.
- Clarification and interpretation of sections allowing companies to charge a consumer a different price or rate, or provide a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.
- Clarification of the impact of the CCPA on loyalty programs, which could be viewed as either “financial incentives” or discrimination.
The AGO has indicated that it will not provide any comments or answer questions about the CCPA at the forums, but it is soliciting feedback on the following topics:
- Categories of Personal Information: Whether additional categories of personal information are necessary to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
- Definitions of Unique Identifiers: Whether this definition should be updated to address changes in technology, data collection, obstacles to implementation, and privacy concerns.
- Exceptions to the CCPA: Whether further exceptions are necessary to comply with state or federal law, including but not limited to laws relating to trade secrets and intellectual property rights.
- Submitting and Complying with Requests: Rules and procedures to facilitate and govern the submission of an opt-out request and a business’s compliance with a consumer’s opt-out request.
- Uniform Opt-Out Logo/Button: Rules and procedures about the development and use of a recognizable and uniform opt-out logo or button to opt out of the sale of personal information.
- Notices and Information to Consumers: Rules, procedures, and any exceptions regarding the notices and information businesses are required to provide to consumers.
- Verification of Consumers’ Requests: Rules and procedures about how consumers can submit verifiable consumer requests and how businesses can validate the requests.