Ad industry groups and other organizations sent a letter to the state legislature with specific suggestions for revising the recently enacted California Consumer Privacy Act (CCPA).
Modeled on the European Union’s General Data Protection Regulation, the far-reaching consumer privacy and data security protections found in the statute apply to any for-profit entity doing business in California that (1) collects consumers’ personal information solely or jointly with others, and (2) (i) exceeds $25 million in annual gross revenues; (ii) annually transacts in the PI of 50,000 or more consumers, households or devices; or (iii) derives half or more of its annual revenues from PI sales.
But due “to the extraordinarily quick nature of its introduction and passage (one week), there were many serious technical and substantive errors in the bill,” Dan Jaffe, executive vice president for government relations at the Association of National Advertisers (ANA) wrote in a blog post. “These problems, if left uncorrected, will have [a] substantial adverse impact on the advertising industry and seriously negatively impact consumers.”
To remedy some of the problems, lawmakers are already working on revisions in the pending S. 1121. To help guide legislators, the ANA joined with other industry groups and stakeholders—including the Interactive Advertising Bureau, the California Chamber of Commerce, the California Retailers Association and the Motion Picture Association of America—to send a 20-page letter that detailed proposals for necessary changes.
The most immediate concern: the timing of the attorney general’s rulemaking process. The AG has yet to schedule a date on which he will indicate how he plans to interpret the statute. Businesses, however, need plenty of time to begin working toward compliance with the new law, which, as the group explained, could create a “massive burden” given the breadth of the law. To that end, the letter proposes that the compliance date be delayed until 12 months after the AG publishes the final regulations.
Definitional changes were a major focus of the letter. For example, the groups proposed several modifications to the definition of “personal information” found in the law. As enacted, CCPA’s definition covers cookies, IP addresses and web browsing history, a red flag for the ad industry as it would include the data used for ad targeting.
Alternatively, the letter suggested removing “aggregate consumer information” and information “that is deidentified, pseudonymized or publicly available information,” as well as references to household, devices and family.
“The collection, use, retention, sale and disclosure of information in deidentified or aggregate or pseudonymized form, where it can be used in place of personally identifiable information, is privacy enhancing and beneficial to consumers because it means that the processing of personally identifiable information about them is reduced,” according to the letter. “Businesses that can accomplish their legitimate business purposes through the use of deidentified, pseudonymized and aggregate information can reduce the amount of personally identifiable information that is subject to potential compromise.”
Other changes suggested by the letter include narrowing the term “consumer,” clarifying the scope of exemptions under federal laws such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, and removing the mandate that businesses provide a toll-free number to opt out, instead permitting companies to specify designated contact methods for consumer requests.
To read the letter, click here.
To read S. 1121, click here.
Why it matters: Facing major changes when CCPA takes effect in 2020, the ANA said the pending legislation is a good start, but further refinement will be required. “While ANA believes S.B. 1121 is a step in the right direction, further more detailed legislation will be necessary to clarify and correct the many remaining substantive problems with the CCPA,” Jaffe wrote.