Attorney General Hearings Underline Key Deficiencies in the Proposed CCPA Regulations
Privacy in Focus®
The California Attorney General (AG) office held public hearings from December 2 through December 5, 2019, on its draft regulations implementing the California Consumer Privacy Act (CCPA). Representatives from the AG’s office heard testimony from diverse stakeholders, including the financial services sector, the advertising sector, privacy advocates, and security, privacy, and legal professionals. Their testimony confirmed that the draft regulations fail to resolve much of the considerable uncertainty surrounding the CCPA and impose additional burdensome compliance obligations on business.
After the CCPA passed in 2018, businesses had anxiously awaited the AG’s draft regulations, hoping they would offer guidance and support for implementing a complex and hastily drafted law. The draft regulations were released on October 10, and the response has not been favorable. As was clear from the comments provided at the hearing, there was still a great amount of uncertainty – mere weeks before the law took effect on January 1, 2020 – on how to implement the CCPA. Additionally, commenters were clear that the new obligations proposed by the AG will add to their compliance challenges.
Need for Additional Clarification
Commenters specifically called out the need for clarification or additional guidance on the following elements of the CCPA and/or the draft regulations:
Definitions: An often-repeated complaint about the CCPA is its broad definitions. Testimony at the hearings called on the AG to provide more clarity around certain key definitions, including “valuable consideration” and “sale,” and even terms as seemingly straightforward as “third party” and “household.” These definitions are key to critical compliance obligations, yet their scope is unclear.
Notice Obligations: The draft regulations require that the various consumer notices must be provided “in a way that is easy to read and understandable.” But the draft regulations also appear to require multiple website links to (potentially) separate notices. Several commenters argued that the AG’s proposed rules will make the process more confusing for consumers. There was a general outcry for the AG to provide model notices to help businesses comply with these obligations.
Verification: Numerous commenters shared their struggle to create a verification program that balances the obligation to respond to a consumer request with the need to protect the consumer’s information. There were several requests for the AG to provide additional guidance on how to verify a consumer’s identity.
GLBA: The CCPA provides an exemption for Personal Information “collected, processed, sold or disclosed” pursuant to the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act (CFIPA). However, several commenters noted that, as drafted, this exemption leaves out significant information that financial institutions may need to complete a transaction. They asked that the AG clarify the extent to which the GLBA exemption applies to data collected and used by financial institutions.
New Obligations Under the Draft Regulations
In addition to these calls for clarification, speakers were vocal on their opposition to the new obligations proposed by the draft regulation that, they argued, were burdensome and had no basis in the underlying statute.
New Notice Obligations: Numerous speakers noted that the additional notice obligations proposed in the AG’s draft regulations, such as the separate notice at collection, will make these notices less user-friendly and more cumbersome and confusing for consumers. Others argued that the new obligations imposed on entities that collect personal information indirectly – in particular, the need to potentially obtain the consumer’s consent by directly contacting the consumer – would create opportunities for scammers to launch phishing attacks, as consumers will have no pre-existing relationship with many of the companies that might contact them about the personal information pursuant to the regulations.
Opt-Out/Flow Down Requirement: The draft regulation requires a business to notify all third parties to which it sold a consumer’s personal information of that individual’s opt-out request and “instruct them not to further sell the information.” Commenters argued that this requirement goes beyond the obligations of the statute and further that it raises serious contractual concerns as it may change the legal obligations of the parties. Additionally, there was significant pushback on the draft regulations’ new requirement that a business must honor browser settings as an opt-out request.
Financial Incentives. While many businesses struggled to understand the CCPA’s prohibition on discriminatory practices, there was general agreement that certain rewards programs, such as grocery discounts or gas-reward programs, could continue under the CCPA. However – as was clear from the testimony provided at the hearings – the significant new obligations that were proposed in the draft regulations have raised concerns in the business community as to whether they can continue to offer these discount programs to California consumers. Commenters noted that the new obligations – in addition to going well beyond the requirements of the CCPA – are unwieldy and do not reflect how businesses operate or value data.
Commenters were uniform in their commitment to providing consumers with the privacy protections contemplated by the CCPA, but they argued that the lack of clarity on key elements of the law, and the imposition of new and unwieldy requirements mere weeks before the law’s effective date, made full compliance almost impossible for any business. Several commenters pleaded for an extension of the effective date to allow them time to design and operationalize a truly compliant CCPA program.
What’s next?
The comment period for the draft regulations closed on December 6, and the AG has given little indication of the timeline for finalizing the regulations. At the hearings, the AG representatives were in listening mode only and did not respond to questions or attempt to explain the draft regulations, though they did affirm that all comments – whether provided in person at the hearings or in writing – would be considered. The CCPA requires that the AG’s regulations be issued no later than July 1, 2020. In the meantime, the CCPA itself became effective January 1, 2020, with significant uncertainty remaining in many areas that directly affect business compliance.
© 2020 Wiley Rein LLP
