On January 25, 2019, about a hundred people gathered in an auditorium at the California Attorney General’s Office in Los Angeles. Among them were lawyers, business owners, consumer advocates, professors, advertising industry representatives, bankers and computer engineers. We were all there for one reason: to give preliminary public comments to the attorney general about the California Consumer Privacy Act.
On stage were several Deputy Attorneys General (“DAGs”) and a court reporter, ready to transcribe what Californians had to say. There were only two rules. First: the comments had to relate to one of seven topics over which the attorney general had rulemaking power under the statute:
- Whether there should be additional categories in the definition of “personal information”;
- If the definition of “unique identifier” should be updated;
- Exceptions to the CCPA (e.g., state and federal law);
- How consumers should submit requests for their information and how businesses should comply;
- What type of uniform “opt-out” button should be adopted;
- What type of notices and information should be provided, including notices about financial incentives for consumers not to opt out of the sale of their data; and
- Verification of a consumer request.
And second: the DAGs couldn’t actually answer any questions. They could only listen.
Here are some of the most interesting questions and suggestions from this session:
- Since the AG has yet to issue the applicable rules, when do companies need to start the record-keeping process to show compliance with the 12-month look-back period for consumer data access requests?
- If costs of compliance with consumer requests are cost-prohibitive, how do small businesses survive? The statute allows companies to charge a “reasonable fee”—but what does that mean?
- What does it mean to provide a consumer their data in a readily usable format? Can a business rely on existing resources or must it hire a vendor?
- Should IP addresses alone really be personal information?
- What kind of affirmative obligations do companies now have to screen for age, i.e., to get opt-in consent from 13- to 16-year-olds?
- There should be a certification process to show compliance with the CCPA.
- To prove that companies are not discriminating against consumers who opt out of selling/sharing their data, companies could submit to the AG the revenue they receive from the sale of consumer data and show how they evaluate personal data to charge for services. In other words: disclose to the AG and the consumer opting out (1) the value of the information and (2) how that value is related to the charge for goods or services.
- There should be a uniform logo showing compliance with the CCPA on companies’ websites, rather than a button, similar to the “Ad Choices” logo in the advertising industry.
- The AG should issue a template for a CCPA-compliant consumer notice that would provide “safe harbor” to companies making a good faith effort to comply.
- Verifying consumer requests should be based on the quantity and quality of data a company holds, as it could be necessary to collect a lot more additional data on a consumer to verify their identity—which seems contrary to the spirit of the CCPA.
Representatives from the Attorney General’s Office also noted that there will be another opportunity to provide public comment during the formal rulemaking period, likely in the fall of this year.
Transcripts of the public comment forums are available on the California Attorney General’s website, though they reportedly may need a week or two to be uploaded.