The California Attorney General continued its series of public forums regarding the California Consumer Privacy Act (CCPA), with forums last week in Riverside (January 24, 2019) and Los Angeles (January 25, 2019). As in the previous forums, there were a significant number of attendees, but few elected to speak publicly regarding their views on the Act. You can read our reports on the public forums held earlier this month in San Francisco and San Diego.
Lisa Kim, Deputy Attorney General for the AG’s Privacy Unit, provided opening remarks at both forums and identified the areas of the AG’s rulemaking on which speakers should focus their comments, specifically those areas of the Act that call for specific AG rules. Ms. Kim encouraged interested parties to provide written comments and proposed regulatory language during this pre-rulemaking phase. Consistent with the prior forums, she noted that the AG’s office would be listening, and not responding, to comments made in Riverside and Los Angeles.
Of note, the presentation slides made available at the forum (and available here) state that the AG anticipates publishing proposed rules in Fall 2019,and that after that there will be a period for public comment and additional public hearings.
Participation at the Forums
Twenty people provided comments at the Los Angeles forum, while only four made remarks at the Riverside forum. The majority of the public comments in Los Angeles, and all of the comments made in Riverside, were by business or trade association representatives. Consumer advocates provided limited comments at the Los Angeles forum.
Each speaker was allocated five minutes to speak. While some of the comments echoed those made at the previous forums, others raised new issues.
Business and industry representatives provided the following noteworthy comments regarding the AG’s rulemaking:
- Verifying access requests. Multiple speakers once again expressed concern with the requirements to verify consumer requests. One speaker suggested that companies be required to undertake “commercially reasonable” efforts to verify consumer requests. Another speaker suggested that companies could use credit bureaus as intermediaries to confirm a consumer’s identity, similar to the process for registering for an online bank account. A third speaker requested that the AG support companies who use artificial intelligence and machine learning to analyze and comply with consumer requests.
- Feedback on opt-out disclaimers. Several speakers voiced support for a uniform opt-out logo or button, instead of a text link to an opt-out page stating “Do Not Sell My Personal Information” (as would be required by the Act). Business representatives voiced concern that consumers may be alarmed by use of the word “sell” where a business may not be “selling” PI in a traditional sense.
- Clarifying key definitions. In addition to the points raised at previous forums regarding definitions in the Act (such as the repeated concern that the Act does not exempt employee PI), business representatives highlighted the following issues with the definitions of “personal information” and “sale”:
- “Personal information.” One speaker suggested that the definition of PI should not include IP addresses because businesses could not identify a unique individual or identify individuals without collecting or receiving other personally identifying information. Another speaker urged the AG to clarify or exclude information related to a particular “household” from the definition of PI. And a third speaker suggested limiting the scope of PI to sensitive categories of PI only, such as financial information and Social Security numbers.
- “Sale.” Several speakers expressed concern with the Act’s broad definition of “sale.” Multiple speakers asked the AG to clarify whether a “sale” encompasses transfers of assets of a business, that include personal information, such as the sale of a credit card portfolio.
- Clarifying key definitions. In addition to the points raised at previous forums regarding definitions in the Act (such as the repeated concern that the Act does not exempt employee PI), business representatives highlighted the following issues with the definitions of “personal information” and “sale”:
- Enforcement priorities. Several speakers noted concerns about the potential impact that the Act will have on small businesses. One speaker asked the AG to consider specifically the disparate impact complying with the Act will have on smaller businesses when creating rules and enforcing the Act. Another suggested that the AG focus its enforcement efforts first on larger companies in the advertising and data brokering industries, in order to more efficiently protect consumer privacy.
- Safe harbor and federal preemption. Several speakers urged the AG to establish safe harbor provisions, such as for companies that are in compliance with GDPR. One speaker requested the AG establish a compliance certification framework, and several requested that the AG provide template notices. One speaker voiced concern that a patchwork of state regulations would be burdensome and that California should await a federal data protection law.
- Non-discrimination requirements. Multiple speakers urged the AG to clarify the Act’s non-discrimination provision, including, for example, to allow news organizations to charge a reasonable fee to access content on their website without advertisements.
- Minimum level of security. One speaker asked the AG to clarify what specific security safeguards companies should implement to comply with the Act, and whether the AG still considers the CIS Top 20 framework as the standard for compliance per the data breach guidance issued by the AG in February 2016.
In addition, consumer advocates requested that the AG consider rulemaking on the following:
- Categories of personal information. In contrast to comments from business and industry representatives, several speakers urged the AG to keep the broad definition of PI, including ensuring that IP addresses continue to be considered PI.
- Exercising consumer rights. Several speakers commented that required disclosures should be easily accessible and prominently displayed. One speaker reminded the AG that consumers without technical experience require simple and easy to understand options. Another speaker suggested that the AG adopt recent European data protection guidance by requiring that consumers be able to exercise opt-out rights within two clicks of the opt-out notice.
- Non-discrimination provision. One speaker suggested that companies be periodically audited for compliance with the non-discrimination provisions of the Act to ensure that financial incentives offered to consumers are not unfair, as evaluated against the value the business assigns to consumer personal information.
Upcoming Forums and Next Steps
The AG will hold three additional public forums: Sacramento and Fresno in February, and Stanford (newly added) in March. Information regarding the time and location for each of the upcoming forums can be found on the AG’s website.
- Sacramento, Tuesday, February 5, 2019
- Fresno, Wednesday, February 13, 2019
- Stanford, Tuesday, March 5, 2019
Written comments can be directed to the AG by email to privacyregulations@doj.ca.gov or by mail to California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013. Please visit our Resource Center for up-to-date information regarding the Act.