Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

California Attorney General’s Office Gathers Public Opinions Regarding the Implementation of the California Consumer Privacy Act

Share

The California Department of Justice has opened up public forums this month as part of the Attorney General’s rulemaking process to promulgate regulations under the California Consumer Privacy Act of 2018 (CCPA). We previously discussed the Attorney General’s Office’s public statement regarding the CCPA here.

As required by the CCPA, the Attorney General must adopt certain regulations on or before July 1, 2020. In holding these public forums, the Attorney General’s Office hopes to provide an initial opportunity for the public to participate in establishing procedures to facilitate consumers’ rights under the CCPA and to provide guidance for business compliance. Specifically, the following aspects are of high priority: businesses’ obligation to disclose data collection and sharing practices to consumers; consumer rights to request deletion of data; consumer rights to opt out of having their personal information sold to third parties; and restrictions on the sale of personal information of consumers under the age of 16 without explicit consent. The Attorney General’s Office scheduled six public forums across different counties in California and invites in-person attendance or written submissions of public comments through February 2019.

Highlights from first public forums

The first public forum took place on January 8, 2019, in San Francisco. More than 100 members of the public attended the forum in person. The Attorney General’s Office kicked off the forum by inviting comments on the following topics:

• Are additional categories of personal information needed?
• Does the definition of “unique identifiers” need to be updated?
• What additional exceptions are needed to comply with state or federal law?
• What rules and procedures should be established for submitting and complying with consumer requests?
• What uniform opt-out logo/button would best promote consumer awareness?
• What types of information or language are sufficient to provide consumers with easily understandable and accessible notice of their rights?
• How should businesses verify and authenticate consumer requests?

Fourteen audience members shared comments and input, including business and trade association representatives and consumer advocates. Specifically, the following comments were provided:

• Commenters asked the Attorney General’s Office to clarify several key definitions in the CCPA, including “Business,” “Personal Information,” “Specific Pieces of Personal Information,” “Consumer” and “Sale.”
• Commenters urged the Attorney General’s Office to establish safe harbor provisions for businesses compliant with the European Union’s General Data Protection Regulation (GDPR) requirements, businesses that voluntarily adopt a template notice to be published by the Attorney General’s Office, and for the sale of information during mergers or acquisitions.
• Commenters asked the Attorney General’s Office to clarify how the CCPA would apply to targeted advertising and loyalty programs.
• Some speakers argued that the inclusion of Internet Protocol (IP) addresses and device identification information as “personal information” is overbroad and would overburden small businesses in record-keeping.
• Some speakers commented that allowing businesses to charge fees or different prices for service “reasonably related to the value provided to the consumer by the consumer’s data” would adversely impact low-income consumers and may run afoul of the original intention of the non-discrimination provision of the CCPA.
• Commenters also proposed that the Attorney General’s regulations should not require businesses to collect additional personal information in order to verify or authenticate consumer requests if the business would not otherwise collect such information.

The second public forum took place on January 14, 2019, in San Diego. The forum again had a similarly high attendance of over 100audience members, but fewer participants contributed comments. In addition to expressing similar concerns from the last public forum, including seeking clarification from the Attorney General’s Office on several key definitions, the speakers added the following comments:

• Commenters sought guidance as to what qualifies as “express notice” required by the CCPA when informing consumers of their rights and responding to consumer inquiries.
• Commenters sought guidance as to what steps businesses must take to notify consumers of data collected from third-party data providers.
• Some speakers urged the Attorney General’s Office to provide guidance on the form and categories of data that a business must provide to consumers in response to an access request in order to reduce risks for businesses.
• Commenters recommended that the Attorney General’s Office allow businesses to offer consumers the choice to delete or to opt out of the sale of some, but not all, personal information.
• Some commenters encouraged the Attorney General to proactively enforce the CCPA, considering that consumers have only a limited private right of action.
• Commenters suggested that a business’s degree of cybersecurity preparedness should be considered as an aggravating or mitigating factor in the event of a data security breach.
• Commenters also suggested that deference should be given to industry standards followed by liability insurance carriers such as the National Institute of Standards and Technology (NIST) when interpreting the CCPA.

No additional comments from AG, upcoming forums

Little was revealed in the first two public forums as to the Attorney General’s current thinking on the draft regulations. The Attorney General’s Office has publicly stated that the forums are primarily focused on listening to public comments and are not intended for the representatives from the Attorney General’s Office to engage with the audience or respond to questions.
In addition to the comments made at the public forums, privacy lawyers, professionals and members of academia have communicated other serious concerns about the implementation of the CCPA in writing. For example, some commenters have expressed concern that the CCPA was enacted to apply across all industries while ignoring many fundamental differences among affected industries. As a result, some businesses that rely heavily on consumers’ personal information in their normal operations could be significantly disrupted. Some commenters also have highlighted problems with the CCPA’s scope of application and the potential for jurisdictional conflicts.

The next four public forums are scheduled to take place on January 24 (Inland Empire/Riverside), January 25 (Los Angeles), February 5 (Sacramento) and February 13 (Fresno). After the public forum tour, the Attorney General’s Office will prepare proposed rules, which will be published for public notice in or around September 2019. The Attorney General’s Office will then solicit formal comments in writing and through televised public hearings before finalizing the rule. DBR on Data will continue to monitor and report on the latest CCPA developments.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Qiusi Newcom

Qiusi Y. Newcom is an associate in the firm's government & regulatory affairs practice. Read Qiusi's full bio on the Faegre Drinker website.

About the Author: Peter Blenkinsop

Peter Blenkinsop advises clients on regulatory compliance, focusing on two distinct but overlapping areas: (i) information privacy and data protection, and (ii) medical research. View Peter's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

January 24, 2019
Written by: Qiusi Newcom and Peter Blenkinsop
Category: CCPA, Privacy
Tags: California Consumer Privacy Act, CCPA, data privacy

Post navigation

Previous Previous post: Charges Connected to Hack of SEC’s EDGAR System Discussed in SECurities and Law Perspectives
Next Next post: European Union Adopts Adequacy Decision For Safe Data Flows With Japan

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT