This week, the California Attorney General held public hearings on the draft California Consumer Privacy Act (CCPA) regulations it issued in October. We attended the hearings in both Los Angeles and San Francisco. One clear message resounded — unintended consequences of the proposed regulations if left as drafted.
Both hearings were well-attended, with dozens of comments from businesspeople, attorneys, and a handful of concerned citizens. In addition to these two hearings, the Attorney General also held public hearings in Sacramento and Fresno, and is accepting written comments through Friday, December 6, 2019. If the Los Angeles and San Francisco hearings are any indication, there are many areas in which the Attorney General could provide further clarity should it choose to revise the current draft regulations.
At the Los Angeles hearing, virtually every one of the roughly 25 speakers indicated that his or her organization was eager to comply with the CCPA and the proposed regulations, but needed guidance as to certain aspects of the regulations or better definitions of some of the terms used. Several speakers raised concerns with verifying identity where the requesting consumer is a non-customer. As was rightly pointed out, although the regulations address verification, various situations involving non-customers still present a dilemma for businesses trying to comply with the CCPA—for example, where the only information possessed is an IP address. There were also several astute comments about the risk of fraud in the context of notices to consumers whose data has already been collected, similar to what happened with GDPR phishing scams.
Multiple speakers asked for clarification of what is meant by the term “reasonable security measures” and clarification of what constitutes a “secure” means of transmitting personal information to a requesting consumer. There were also multiple questions about what constitutes a “sale” under the CCPA, and whether a company’s use of ad tech services on its website involves a sale of personal information. Behind these and many similar requests for clarification was either an express or implied fear that misinterpreting one of the many technical terms used in the CCPA and the Attorney General’s proposed regulations could expose a business to liability, either to private plaintiffs attempting to use other statutes to bring claims for violating the Act or enforcement by the Attorney General itself. It was rightly pointed out that the Attorney General has thus far provided little guidance on what an enforcement action might look like—e.g., will there be an opportunity to take corrective action before fines are imposed, and what will the timing look like?
In San Francisco, there were a similar number of registered speakers who appeared to raise concerns. Most interestingly, one of the CCPA co-authors, Rick Arney of Californians for Consumer Privacy, spoke. First, he suggested that proposed regulation 999.305 should clarify that where physical notice is required it should be provided at the point of collection—in other words, where the business is physically collecting data. Second, Arney urged for the regulations to include language that a consumer can opt out through a global setting on a browser and that a business cannot restrict consumers’ right to opt out with inconvenient methods. Third, he took issue with the time period to respond to an opt-out request. He stated that the intention in the CCPA was for any opt-out request to be immediately processed, at the longest within 72 hours—not 15 days. Last, he requested the Attorney General implement rules imposing higher standards for accessing highly sensitive personal identifying information. Other speakers included individuals representing various industries, professionals, and organizations such as automobile manufacturers, attorneys, magazine publishers, advertisers, small credit unions, technology companies, and start-up businesses. Some commentators commended the enactment of the CCPA as vital for the protection of privacy rights while others expressed significant reservations about its scope and impact on businesses. Both sides, however, shared equal concerns about the unclear and often conflicting definitions within the CCPA and the implementing regulations. Many companies shared probing comments and concerns regarding the likely unintended effect of certain regulations on industries. For example, automobile manufacturers expressed concerns with their ability to retain and use Vehicle Identification Numbers (VIN) to track quality, safety, performance, and efficiency of its vehicles. Another commentator on behalf of advertisers questioned the unintended consequences the CCPA may have on loyalty programs such as frequent flyer, gasoline rewards, and customer loyalty rewards. And, another contributor stated that the proposed regulations would preclude the ability of software-as-a-service companies to internally utilize information for basic business needs concerning their human resources, accounting, and project management departments.
The public comments highlighted the differing ways the CCPA and the Attorney General regulations are being interpreted, and the potential exposure to businesses large and small. Helpful suggestions included establishing a privacy seal or other standard that would allow consumers to know if a business‘ privacy program meets state standards, checklists for compliance, and a state-verified resource to establish the validity of deletion or opt out requests coming from a third party. Other companies requested an extension of time on the effective date of the CCPA to January 1, 2022 to allow proper compliance with its requirements.
If there was one overarching theme to these hearings it was that the proposed regulations (and the CCPA itself) are likely to produce some unintended consequences. As many of the speakers pointed out, there are several areas in which the language of the current regulations could make it difficult for businesses to comply or lead to results that seem unlikely to have been on legislators’ minds in drafting the CCPA. To that end, although the CCPA is intended primarily to give consumers more control over the use of their personal data by companies that profit from it, the diversity of the businesses in attendance at the Attorney General hearings showed that organizations of all types, sizes, and industries are scrambling to comply. It remains to be seen if, and how, the Attorney General responds to the many public comments received in any potential revisions to the proposed regulations.