On Tuesday in San Francisco, the California Department of Justice (“DOJ”) held its first of six public forums on the California Consumer Privacy Act of 2018 (“CCPA”) before a packed room of industry representatives and public citizens. The forums are intended to fulfill the Attorney General’s mandate under CCPA to solicit broad public participation in its adoption of regulations under the law.
DOJ Rulemaking Responsibilities
DOJ representatives began the forum by emphasizing that they would not be making any public comments or answering questions. They did note, however, that their rulemaking will focus on fulfilling the Attorney General’s obligation under the CCPA to adopt regulations, particularly in the following seven areas:
- Categories of Personal Information: Whether the categories of personal information currently enumerated in the CCPA should be updated to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
- Definition of Unique Identifiers: Whether the CCPA’s definition of unique identifiers (e.g., IP address, device identifier, cookie identifiers) should be updated to address changes in technology, data collection, obstacles to implementation, and privacy concerns.
- Exceptions to CCPA: Whether exceptions to CCPA are necessary to comply with state or federal law, such as laws protecting trade secrets and intellectual property rights.
- Submitting and Complying with Requests: How consumers should submit requests to opt-out of the sale of their data—and how a business can honor such requests.
- Uniform Opt-Out Logo/Button: The development of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.
- Notices and Information to Consumer: The notices and information that businesses are required to provide to consumers to comply with the CCPA.
- Verification of Consumer’s Request: Both how a consumer can submit requests to exercise rights under the CCPA and how a business can reasonably verify such requests and validate the requester’s identity.
Attendees commented on various aspects of the CCPA, but four areas of emphasis were: (1) the definition of personal information, (2) the right to equal service, (3) clarification of when CCPA applies, and (4) safe harbors.
Definition of Personal Information
A technology company representative argued that the CCPA’s definition of personal information is so broad that companies would need to start expanding the amount of information they link to individuals to ensure compliance with individuals’ requests to access, delete and opt out of the sale of their personal information. He argued that requiring such linkage would place unreasonable burdens on companies, and it would put consumers at greater risk, since the information would otherwise not be as readily linkable to a particular individual. Furthermore, multiple business representatives argued that defining an IP address as personal information is untenable and problematic.
However, a private citizen countered that the definition of personal information should remain broad so that companies cannot skirt the regulation by relying on the CCPA’s exemptions for deidentified data. The individual argued that narrowing the definition of personal information would serve to harm consumers by letting companies sidestep the CCPA.
Right to Equal Service
Under the CCPA, businesses are not permitted to “discriminate against” a consumer for exercising his or her rights under the statute, subject to a few unclear and seemingly contradictory exceptions. For example, it is unclear under the CCPA whether it would be discriminatory for a company to charge a consumer for a free ad-supported service if the consumer opts out of the sale of his or her information such that the company cannot share it with advertisers. An advertising trade group representative argued that regulations should make clear that advertisers can charge a “reasonable rate” as an alternative to an ad-supported service, without exception.
A consumer rights advocate countered that such a regulatory scheme would lead to a two-tier system of privacy regulation, where the wealthy pay to maintain their privacy and the poor can’t afford to.
Application to Businesses
A law professor argued that the California Attorney General should clarify whether the CCPA’s $25 million revenue threshold for when the law applies to a business would be triggered even if the vast majority of that revenue were generated outside California. He also noted the need for clarification of whether a company would be given a ramp up period to complete a CCPA compliance program once the company’s revenue reaches $25 million.
Multiple corporate representatives mentioned the need for a safe harbor under the CCPA that would define specific steps that businesses could take to avoid liability.
Upcoming Forums and Feedback to the Department of Justice
The five remaining public forums on the CCPA are below, and public comments on the CCPA can be submitted to the Department of Justice by email to firstname.lastname@example.org or by mail to CA-DOJ, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013.
- January 14 – San Marcos
- January 24 – Riverside
- January 25 – Los Angeles
- February 5 – Sacramento
- February 13 – Fresno