On January 14, 2019, the California Attorney General hosted the second of six public forums regarding the California Consumer Privacy Act (CCPA) in San Diego. As in the first forum, there were a significant number of attendees, but few elected to speak publicly regarding their views on the Act. You can read our report on the first forum held in San Francisco on January 8, 2019, here.
As in San Francisco, Stacey Schesser, the Supervising Deputy Attorney General for the AG’s Privacy Unit, provided opening remarks and identified the areas of the AG’s rulemaking on which speakers should focus their comments. Ms. Schesser again noted that the AG’s office would follow a listening role only, and would not respond to, or provide feedback on, any comments or questions. She also strongly encouraged interested parties to provide written comments and proposed regulatory language during this pre-rulemaking phase.
Main Areas of Public Comment
Five individuals, including both business representatives and consumer advocates, made comments at the forum. Some of the public comments echoed those made at the San Francisco forum, while others brought new perspectives regarding areas on which the public is focused. The comments at the San Diego forum largely focused on the following topics:
- Clarifying key definitions. Multiple speakers highlighted the challenges posed by the Act’s definitions, asking for clarity and uniformity, particularly with respect to the definition of “personal information” (PI):
- One speaker noted that the current definition of PI is broad, particularly with respect to its references to “capable of being associated with,” “consumer,” and “household.” The speaker questioned whether a “household” would include roommates and adult children, and asked the AG to clarify the term. The speaker also asked the AG to clarify that the term “consumer” does not include employees, and voiced a concern that, without clarity, businesses may delete or share more information than necessary.
- Several speakers proposed that the AG base key definitions under the Act, including the definition of PI, on other identified standards. For example, a cybersecurity consultant recommended that key definitions be based on the National Institute of Standards and Technology (NIST) cybersecurity framework, noting that that industry is already familiar with and recognizes these standards. Another speaker said that it would be helpful if the Act’s definitions were consistent with those in the European Union’s General Data Protection Regulation (GDPR), as many companies will be required to comply with both laws.
- Providing notice, access, and opt-out/deletion rights to consumers. Several speakers commented on obligations the Act places on businesses, including notice requirements, responding to consumers’ access requests, and offering consumers opt-out and deletion rights.
- Notice. Several speakers raised the Act’s notice requirements, with diverging views on the issue. One speaker noted that it would be difficult for businesses to provide “explicit” notice to consumers and asked the AG to recognize “written” notice as sufficient, while another advised that any notification to consumers should be “knowing and conspicuous.”
- Responding to access requests. One speaker stated that businesses may experience difficulty in determining whether a consumer request is verifiable, and suggested that a standard form approved by the AG would lessen concern about disclosing information to a party that is not entitled to that data.
- Consumer choice. One speaker observed that it is unclear whether the Act allows businesses to offer consumers choices in exercising their rights to opt out of the sale of PI or to have PI deleted. The speaker recommended that the AG allow businesses to offer consumers the choice to delete, or to opt out of, the sale of some but not all PI.
- AG rulemaking and enforcement issues: Several speakers focused on the practical implementation of the Act, with suggestions regarding enforcement and liability issues.
- Rulemaking. Recognizing the limited scope of the private right of action, a consumer advocate urged the AG to interpret the statute broadly, noting that the AG would have the opportunity to make changes to the regulations that have bad outcomes for business.
- Affirmative defense. Echoing comments made at the San Francisco forum regarding safe harbor provisions, one speaker suggested that the AG consider providing an affirmative defense to companies that experience a breach event, but that had pre-existing cybersecurity plans.
- Presumption of liability. Conversely, this speaker said that if a company does not have a cybersecurity plan in place, there could be a presumption of liability. This speaker encouraged the AG to consult with the insurance industry because, in the speaker’s view, insurance carriers will ultimately be responsible for paying any judgment.
- Non-discrimination provision: Speakers again asked the AG to clarify the non-discrimination provision in the Act, specifically requesting information about how the provision will affect loyalty programs.
Upcoming Forums and Next Steps
The AG will hold four more public forums in January and February, the next two of which will take place on consecutive days in Riverside and Los Angeles. Information regarding the time and location for each of the upcoming forums can be found on the AG’s website, and anyone who would like to speak can pre-register here.
- Inland Empire/Riverside, Thursday, January 24, 2019
- Los Angeles, Friday, January 25, 2019
- Sacramento, Tuesday, February 5, 2019
- Fresno, Wednesday, February 13, 2019
Written comments can be directed to the AG by email to email@example.com or by mail to California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013. There will also be an opportunity to provide formal comments once the proposed rules are published. Please visit our Resource Center for up-to-date information regarding the Act.