Sacramento CCPA Public Forum Attracts Among the Largest Turnout to Date

The California Attorney General (AG) held its fifth of seven public forums on the California Consumer Privacy Act (CCPA) in Sacramento on February 5, 2019. The Sacramento forum was among the best attended CCPA public forums to date, and more individuals spoke at this forum than at any other CCPA public forum. For over two hours, trade association representatives and consumer advocates provided competing visions of how the AG should implement the Act. The following provides an overview of the Sacramento forum and comments made at the forum. You can also read our reports on previous forums held in San Francisco, San Diego, Los Angeles, and Riverside here.

AG’s Opening Remarks

As with previous forums, Stacey Schesser, Supervising Deputy Attorney General of the AG’s privacy unit, gave opening remarks. She outlined previous ground rules: speakers had five minutes to provide comments, comments should focus on specific rules the AG must promulgate, and the AG’s office would not provide responses or feedback to comments. Ms. Schesser reiterated the AG’s request for written comments and/or draft regulations by March 8, 2019 as well as the AG’s estimated timeline for issuing draft regulations in Fall 2019.

Participation and Comments at the Forum

Approximately 150 individuals attended the Sacramento forum, and 25 individuals made remarks. Industry representatives made 19 comments and consumer advocates made six comments.

Industry comments. The majority of business and industry comments came from trade associations representing a variety of sectors, including retail, advertising, wireless, online gaming, payroll processing, credit monitoring and fraud prevention, education, life sciences, utilities, and nonprofits. These representatives raised general as well as industry-specific concerns.

As to general issues, industry representatives primarily requested clarification on previously raised issues, including:

• Key definitions of:
  
  • “Personal information (PI),” particularly to address safety and security concerns raised by including “household” in the definition of PI, which could potentially allow domestic abusers, for example, to request PI to track their spouses.
  • “Consumer,” particularly as it applies to employee data as well as affiliate‑to‑affiliate and business-to-business relationships.
  • “Sale,” particularly to clarify the meaning of “other valuable consideration” and how that term may impact different business operations—such as online advertising, payroll processing, and loyalty programs—as well as how it may apply to intra-affiliate data sharing.

• Individual rights requirements, including:
  
  • Access requests. Industry representatives reiterated the need for clear verification procedures and safe harbors if a business provides PI to the wrong person despite complying with verification requirements. Multiple speakers argued that the access right, as written, is anti-privacy, as it requires businesses to collect more information than they otherwise would to verify requests and to centralize information to respond to requests, thereby raising cybersecurity risks.
  • Flexible opt-out and deletion rights. Multiple speakers requested the AG adopt regulations allowing businesses to offer a menu of opt-out and deletion options rather than taking an all-or-nothing approach to implementing these rights.
  • Non-discrimination. The AG should allow businesses to charge reasonable fees to consumers who opt-out of sales or choose to delete data, representatives argued. The AG should also confirm that a business does not “discriminate” if it cannot offer services without a consumer’s data.

One speaker also expressed concern regarding compliance deadlines, arguing that the six month compliance deadline is “arbitrary and capricious” and that the AG should provide different compliance deadlines for each individual right, similar to the Federal Communication Commission’s approach to robocall requirements.

As to industry-specific issues, trade associations commented on:

• The impact of the Act on nonprofits (which will bear the costs of their for-profit partners’ compliance) as well as small businesses.
• Concerns with the Act’s application in the education space, including conflicts with existing education privacy laws as well as the fact that the Act allows students to request to delete their grades.
• Challenges for utility companies in complying with the Act and California Public Utilities Commission (CPUC) privacy requirements.
• The need to clarify the Gramm-Leach-Bliley (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and Confidentiality of Medical Information Act (CMIA) exceptions for financial and health industries, respectively.
• The need to clarify compliance for non-consumer facing companies with the Act’s requirement to provide consumers with “explicit notice” and an opportunity to opt-out before third parties sell consumers’ PI.

Consumer advocate comments. Representatives from consumer and privacy advocacy groups, including Californians for Consumer Privacy—the organization behind the initiative that spawned the Act—primarily commented on:

• Financial incentives and non-discrimination requirements. Multiple consumer representatives voiced concern that financial incentives or exceptions to the non discrimination provision could create a “pay-for-privacy” regime, that would primarily impact low-income consumers and undermine constitutional privacy rights.
• Consumer notices. Commentators emphasized that the AG should ensure that consumer privacy notices are clear, user-friendly, and contain sufficient detail to clarify what information businesses collect and for what purpose. One speaker argued notices should list third parties to whom businesses share PI (as required by the initiative).
• Opt-out rights. Advocates also asked the AG to provide user-friendly opt-out mechanisms. One speaker asked the AG to consider global opt-out mechanisms and to decline flexible opt-out options. Another speaker argued the opt-out right should instead be an opt-in requirement.

Upcoming Forums and Next Steps
The AG will hold two more public forums:

• Fresno, Wednesday, February 13, 2019
• Stanford, Tuesday, March 5, 2019