California Attorney General’s Office begins the rulemaking process on the new California Consumer Privacy Act with public hearings

Jennifer S. Elkayam
Theodora Oringher PC
Jeewon Kim Serrato
Norton Rose Fulbright US LLP

The California Consumer Privacy Act of 2018 (“CCPA”), California’s new privacy law which takes effect on January 1, 2020, requires the Attorney General to adopt implementing regulations that further the objectives of the CCPA. The California Lawyers Association has scheduled a number of events and webinars focused on this new law, including a webinar hosted by the Privacy Subcommittee on March 26. You can register here.

Much concern has been raised about the law as currently written, including by Attorney General Xavier Becerra himself. With regulations set to be issued on or before July 1, 2020, the Attorney General’s Office scheduled six public forums to give key stakeholders an opportunity to provide feedback on the law and help shape the implementing regulations. The forums were not intended for the Attorney General’s Office to engage with the audience or respond to questions but is instead a forum for the public to submit comments as part of the rulemaking process.

Specifically, the AG’s office is focused on adopting regulations relating to the following CCPA key requirements:

• Businesses must disclose data collection and sharing practices to consumers;
• Consumers have a right to request their data be deleted;
• Consumers have a right to opt out of sale or sharing of their personal information; and
• Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.

Members of the Antirust, UCL, and Privacy Section attended the first hearing in San Francisco on January 8 and the fourth hearing in downtown Los Angeles on January 25, 2019. The following are some takeaways from these forums on the CCPA:

More than 100 members of the public attended in-person at each event and approximately 20 people offered comments, made suggestions, and asked for clarity on various terms and provisions in the statute. The majority of comments were made by business and trade association representatives likely to be subject to the CCPA. Several attorneys advocating on behalf of their clients and a handful of consumer privacy advocates also expressed opinions about the new legislation. The comments made at the workshop reflect general concerns about perceived ambiguities in the law, as well as potential unintended consequences for businesses that collect information about California consumers. Many comments were focused on asking the Attorney General to issue regulations clarifying certain key terms, including their scope and meaning, as well as issues regarding the practicality of compliance.

Specific issues that were highlighted during the public hearings include:

• DEFINITIONS: Commenters asked the Attorney General to clarify certain ambiguous definitions, including the definition of “personal information” and whether it includes IP addresses and inferences drawn from personal information to create a profile about a consumer. Others proposed narrowing the definition of “sale” to exclude online advertising and to clarify that the prohibition against the “sale” of personal data would not restrict the transfer of data to service providers 
• SCOPE: Several people also sought guidance regarding the calculation of the revenue threshold in the CCPA. The CCPA applies to any “business,” including any for-profit entity that collects consumers’ personal information, which does business in California, and which satisfies one or more of the following thresholds: (1) has annual gross revenues in excess of twenty-five million dollars ($25,000,000); (2) possesses the personal information of 50,000 or more consumers, households, or devices; or (3) earns more than half of its annual revenue from selling consumers’ personal information. Although two of the three thresholds involve a calculation of revenue, the CCPA does not specify whether this includes revenue worldwide or whether it is limited to California revenues. They also asked whether the revenue has to be attributable to the sale of personal information in some manner. Business representatives expressed a desire for further clarification in order to determine if they are subject to the CCPA. 
• NEW ACCESS AND OPT OUT RIGHTS: A hot area of discussion were the new data access and opt-out rights under the CCPA. Under the CCPA, companies must provide specific disclosures about the personal data it collects and provide a clear link on their homepage labeled “Do Not Sell My Personal Information.” The definition of “sale” under the CCPA is very broad and includes any transfer of personal data to third parties “for monetary or other valuable consideration.” Considering the broad definition of “sell,” some businesses expressed the concern that the required language to be used in this link would confuse consumers about how the business is actually using their personal information. Some speakers suggested that the text link be replaced with a standardized button that all businesses be required to use. One consumer advocate stated that the opt-out procedure should be streamlined and not buried under a multitude of page clicks. 
• VERIFICATION: Companies will be required to verify the identity of the person making data access and opt out requests. Some commenters have noted that this may actually undermine the law’s goal of limiting the collection of personal information because the law may require companies to collect more data as part of identity verification that they might otherwise not need to collect. Some speakers suggested that the Attorney General issue regulations explaining “commercially reasonable” efforts necessary to satisfy the verification requirement. Some speakers proposed that the verification process account for the nature of the relationship between the consumer and the company. One speaker suggested that the Attorney general issue regulations authorizing the use of credit bureaus as part of the verification process. 
• ANTI-DISCRIMINATION: One of the most controversial elements of the CCPA, and one that was raised during the Los Angeles public forum, is the establishment of an “anti-discrimination” right. The CCPA’s anti-discrimination provisions limit businesses’ ability to deny services, charge different prices, or offer different qualities of services to consumers who exercise their rights under the law. While there are certain exceptions to the general prohibition on discrimination, the comments expressed during the public hearings demonstrated that they are in need of further clarification. For example, businesses may charge consumers different prices or offer different levels of service if the difference is “reasonably related to the value provided to the consumer by the consumer’s data.” The CCPA also permits businesses to offer financial incentives—including payments to consumers as compensation for the collection, sale, or deletion of personal information. The drafters, however, did not define the term “financial incentives” or more clearly lay out the conditions under which they may be allowed as compensation for the collection, sale, or deletion of personal information. 
• SAFE HARBOR: Several speakers called for the Attorney General to establish a safe harbor provision for businesses that are GDPR-compliant, as well as a call for greater synergy between the new California law and the EU data protection law.

The last public forum will be held at Stanford on Tuesday, March 5, 2019, 12:45 PM – Stanford Law School, 559 Nathan Abbott Way, Room 290, Stanford, CA 94305.

Public comments are also accepted by email at privacyregulations@doj.ca.gov or by mail to the California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013.

The Attorney General’s Office expects to circulate draft regulations by the fall of this year. There will be an opportunity to comment on the draft regulations after they are published.