California Attorney General urged to make CCPA regulations more flexible

Nouveau Regime

Last June, the California legislature passed Assembly Bill 375 – the California Consumer Privacy Act (CCPA) of 2018 – which was swiftly signed into law by then-governor Jerry Brown. Panic ensued over the implications of this new privacy law, which provides greater transparency and choice for California consumers with respect to their personal information. (For a comprehensive review of the CCPA, see our article here.)

Back in September 2018, Governor Brown signed into law amendments to the CCPA that extend the time for the California attorney general (CaAG) to promulgate regulations to July 1, 2020, which could delay enforcement of the CCPA for up to six months. The delay has left open the door for additional criticism and proposals for alternative federal legislation that would pre-empt the CCPA altogether – see here for an example of one such framework.

The leading advertising and marketing associations in the U.S., including the Interactive Advertising Bureau, the Network Advertising Initiative, the Association of National Advertisers and the American Association of Advertising Agencies, have submitted a joint letter to the CaAG outlining their “notable concerns around the likely negative impact on California consumers and businesses from some of the specific language” in the CCPA and highlighting areas of the law they believe could be clarified.

Among their comments in the letter, the associations are utilizing their platform to “urge the AG to recognize that a written assurance of CCPA compliance is sufficient and reasonable” with regard to the obligations set forth in Section 1798.115(d) of the CCPA, which prohibits a company from selling consumer personal information that it did not receive directly from the consumer, unless the consumer has received “explicit notice” and is provided an opportunity to exercise the right to opt out of the sale. The letter also requests “that the AG clarify that businesses may offer reasonable options to consumers to choose the types of ‘sales’ they want to opt out of, the types of data they want deleted, or to completely opt out,” rather than the current approach set forth in the CCPA, which requires businesses to allow consumers to entirely opt out of the sale of their data or delete their data, which is an all or nothing approach.

Finally, the letter calls on the AG to clarify that a business does not need to create individualized privacy policies for each consumer to comply with the CCPA’s requirement that a business’ privacy policy disclose to a consumer the specific pieces of personal information the business has collected about that consumer.

The Takeaway

As is evident from the letter submitted to the CaAG by the associations, there is room for clarification as to the requirements set forth by the CCPA.