The California attorney general (the AG) has concluded the first round of public comments on the proposed regulations that would serve to interpret and implement California’s sweeping new privacy law, the California Consumer Privacy Act (the CCPA).

After just under two months since the release of the proposed regulations (the Regs) by the AG and a series of four public hearings across the state in the past week, the final deadline to submit written comments in response to the Regs came and went on Friday, Dec. 6. Now that the first public comment period has ended, there will be revisions to the Regs followed by another wait period, which can be either 15 or 45 days, depending on the extent of changes in response to the first public comment period. In effect, this means that the Regs are subject to further changes, even post-Jan. 1, 2020.

This public comment period provided interested parties with the opportunity to submit written comments regarding the proposed CCPA Regs (set forth at §§ 999.300-999.341 of Title 11, Division 1, Chapter 20 of the California Code of Regulations). While many of our clients sought to convey their comments through their respective trade organizations, more than a dozen other clients asked us to supplement those efforts with a set of aggregate comments, which we filed and which are available here. A summary of our comments is below.

Safe Harbors

During the press conference on Oct. 10, at which the AG discussed the draft Regs as we reported here, the AG clearly and pointedly stated that he would not be treating the period between the effective date of the CCPA (Jan. 1, 2020) and the date on which the AG can enforce the law (July 1, 2020) as a safe harbor.

  • The period between the effective date of the CCPA (Jan. 1, 2020) and the date on which the AG can enforce the law (July 1, 2020) should be treated as a safe harbor for businesses making good faith efforts to come into compliance by July 1.It is clear that the Regs will not be final prior to Jan. 1, leaving businesses and their advisors in limbo as to consequential aspects of the law. Even for companies that have spent the past year or more preparing for the CCPA, compliance with a law that is not final before its effective date is impossible.
  • A business should have the opportunity to cure if it believes, in good faith, that it has achieved compliance and the AG advises otherwise. The proposed Regs leave many unanswered questions and the legislative history provides little guidance on how to comply with the law. Many parts of the statute are ambiguous and subject to entirely reasonable but conflicting interpretations. The right to cure provided in the statute (Section .155(b)) should be a real and meaningful right to prospectively cure.

Retail and Other Offline Collection

The Regs place significant, and sometimes impossible, burdens on retail businesses and other businesses that substantially interact with consumers offline.

  • The numerous in-person notices required by the Regs will only confuse consumers. Retail and other businesses that interact with consumers offline are already required under the Regs to post a link to their privacy notice via prominent, in-store signage or printed forms. Rather than providing additional notices, the privacy policy link posted pursuant to other requirements should be sufficient to meet the numerous notice requirements in the Regs. California consumers are already greeted with numerous written notices when entering a retail location (e.g., Prop. 65). Additional notices will only confuse consumers and will not further the purposes of the CCPA.
  • Retail and other offline businesses should not have to accept consumer requests (e.g., requests to delete, know and opt out of sale) on paper forms at in-person locations, as currently required in the proposed Regs. These businesses should be able to point consumers to the privacy policy where the information can be found, or to the 1-800 number where consumers can exercise these rights. This requirement not only creates operational headaches for businesses, but will potentially expose the personal information of requesting consumers to any number of employees at the location where the request was submitted.
  • Businesses should not be required to train retail-level and similar employees on how to field a consumer request, as would be required by the current draft of the Regs. It is not realistic to expect this of businesses, particularly where employees are often part-time or actually employees of a franchisee and not the brand.

Consumer Requests and Verification

Businesses are scrambling to operationalize and develop procedures to respond to consumer requests, and the Regs do not provide a clear picture of how to provide the rights to only California consumers. Moreover, some of the Regs conflict with the amendments to the CCPA that were signed into law a couple of days after the AG released the draft Regs (as we discussed here and here).

  • The Regs should clarify that CCPA rights apply only to California consumers, and that a business may decline to provide CCPA rights where it cannot reasonably verify residency. A close read of the Regs reveals that the focus is more on proving that a consumer is who they say they are, and not that the consumer is, in fact, a California consumer. Moreover, the Regs in multiple contexts do not allow businesses, service providers or third parties to limit the application of the CCPA to only personal information of California consumers.
  • Businesses, service providers and third parties should be able to use IP address, reference to address on file and other reasonable methods of establishing location to determine a person’s status as a California consumer, including in the context of identity verification.
  • Online-only businesses that have a direct relationship with a consumer should be required only to provide an email address for submitting requests to know. This is consistent with amendments passed in AB 25, which we discussed in detail here.

Service Providers

The Regs put businesses and service providers in a position that will make compliance with the law impossible. As currently written, the Regs would prevent service providers from carrying out routine operational activities.

  • The AG should revise the Regs to state that a service provider shall retain its status as a service provider so long as the purposes for which it is permitted to process personal information under the contract with the business meets the definition of “business purpose” under the CCPA. The Regs’ proposed bright-line rule on what a service provider can and cannot do is unnecessary and does not address the reality of processing activities carried out by vendors that process personal information on behalf of their customers.

Loyalty Programs

The Regs impose restrictions on any “financial incentive,” the definition of which hinges on the collection of personal information. Many consumers want to keep their loyalty programs, which are entirely voluntary in nature. As part of a loyalty program, consumers choose to give their information to a company so that it can provide them with certain benefits, including marketing, sometimes from third parties. Loyalty programs by their nature are financial incentives that require personal information, and are prohibited unless the value received by a consumer from the financial incentive is reasonably related to the value to the business of the consumer’s data.

  • The Regs should establish that “[l]oyalty program benefits are reasonably related to the value of a consumer’s data to the business offering the program arising out of the business’ use and disclosure of that personal information as set forth in the program terms, as a condition of ongoing loyalty program participation, if the terms and benefits of the loyalty program, and the scope of the business’ potential use and disclosure of the personal information, and any related waivers of consumer rights under the Title, are clearly stated in the program terms, the consumer affirmatively accepts the program terms and the consumer can prospectively withdraw from the program and upon doing so prospectively regain the consumer’s full rights under the Title regarding that personal information (including right to know, right to delete and opt out).”

With less than a month until the CCPA becomes effective, we will continue to monitor the AG’s rule-making process.