The California Attorney General held the third of four public hearings on the California Consumer Privacy Act’s (CCPA) proposed regulations in San Francisco on December 4, 2019. The hearing included comments from 22 speakers and lasted approximately two hours.
The hearing was opened by Stacey Schesser, Supervising Deputy Attorney General for the Consumer Law Section’s Privacy Unit of the Office of the California Attorney General (AG). Other representatives from the California Attorney General’s office included Senior Assistant Attorney General, Nicklas Akers; Deputy Attorney General, Lisa Kim; Special Assistant Attorney General, Eleanor Blume; and Deputy Attorney General Huey Long.
Similar to the prior hearings on the proposed regulations, Ms. Schesser opened the hearing by stating that its purpose was to receive public comment on the proposed regulations. She also noted that the hearing would be audio-recorded and transcribed by a court reporter and that the resulting transcript and any written comments presented during the hearing would be made part of the rulemaking record. She also directed audience members to recently-posted information about the California Department of Justice’s rulemaking process.
Ms. Schesser also remarked that the representatives of the AG’s office would not be answering questions or otherwise substantively responding to comments presented at the hearing. She noted that the AG is currently accepting written comments on the proposed regulations, with an upcoming deadline of December 6, at 5 PM PST. Ms. Schesser specified that the AG would review and consider all relevant comments, and would respond to them in the official Statement of Reasons accompanying the final regulations. Similar to prior hearings, the AG’s office did not provide any detail regarding when the regulations would be finalized.
Comments Made at the Hearing
Twenty-two speakers made comments at the hearing, with most remarking that they also planned to submit more detailed written comments. Each speaker was allotted five minutes to speak. The speakers represented a range of interests, including various industry groups such as the Alliance of Automobile Manufacturers, the Association of National Advertisers, and the Association of Magazine Media; software companies; law firms; nonprofits such as the Electronic Frontier Foundation; credit unions; and individual privacy advocates and consultants. The comments touched on a wide range of concerns and interests, but several issues were highlighted repeatedly:
- Right to Opt-Out of Sale. Several speakers commented on issues related to the administration of consumers’ right to opt-out of the selling of their Personal Information (PI) under the CCPA. The most commonly voiced concerns included the following:
- Downstream notification of opt-out requests. Section 999.315(f) of the draft regulations provides that when a consumer exercises his or her right to opt-out of the selling of his or her PI, the business must notify all third parties to whom it has sold the consumer’s PI within the 90 days prior to receipt of the request. The business must also instruct these third parties not to further sell the PI and must notify the consumer when this required downstream notification has been completed. At the hearing, speakers expressed concerns that this obligation was overly burdensome. Some also remarked that this was a significant new requirement not originally contemplated by the CCPA. They also noted that this requirement may interfere with previously-established business relationships in which parties had contracted for the re-selling of consumer PI.
- Responding to user-enabled privacy controls. Section 999.315(c) of the draft regulations states that businesses that collect consumer PI online must treat user‑enabled privacy controls, such as browser plugins, privacy settings, or other mechanisms that communicate or signal the consumer’s choice to opt-out of the selling of their PI as a valid opt-out request under the CCPA. Multiple commentators critiqued this requirement, stating that it would be overly broad in application, as such browser-based controls would not allow users to specify which websites or services to which they would like the opt-out to apply. Some also stated that many businesses may not have the technological capability to track or respond to such plug-ins or similar mechanisms such as Do-Not-Track signals. Speakers also remarked that this additional requirement was somewhat unexpected, as it was not previously described in the CCPA. While some requested clarification regarding which signals would be recognized and how this requirement would work in practice, others asked that it be removed completely.
- Opt-out button/logo design. The CCPA states that the AG regulations will also cover the development and use of a recognizable and uniform “opt-out logo or button” for businesses to use (§ 1798.185((4)(C)). However, the draft regulations currently state that the button or logo is “to be added in a modified version of the regulations and made available for public comment.” (§ 999.306(e)(1)). Multiple businesses representatives at the meeting expressed a desire for clarification on the proposed logo design, and remarked that the CCPA’s January 1, 2020 effective date is quickly approaching.
- Financial Incentives. Numerous stakeholders also commented on the provisions of the draft regulations related to financial incentives.
- Financial incentives as discriminatory. According to the draft regulations, financial incentives are discriminatory if businesses treats consumers differently for exercising their rights under the CCPA or accompanying regulations, subject to the exception described below (§ 999.336(a)). Multiple speakers stated that this prohibition would prevent businesses from administering day-to-day loyalty programs, in turn harming consumers.
- Value to the business. The draft regulations state that a businesses may offer a price or service difference “if it is reasonably related to the ‘value of the consumer’s data,’” which is defined as “the value provided to the business by the consumer’s data.” (§§ 999.336(b); 999.337(a)). The draft regulations also require businesses to disclose their good-faith estimate of the value of the consumer’s data, as well as a description of the methods used to calculate that value (§ 999.307(b)(5)). Speakers at the hearing asked for clarity on how to operationalize the “reasonably related” standard. Several also were concerned that the requirement to disclose these estimates could risk forcing businesses to reveal proprietary business information and/or trade secrets and requested that the requirement be revised or removed.
- Application of Exceptions for Financial Institutions. As currently drafted, the CCPA exempts from its scope “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act [GLBA], and implementing regulations, or the California Financial Information Privacy Act [CFIPA].” (§1798.145(e)). Credit union representatives noted that the definition of PI under the CCPA differs from (and is broader than) the operative definitions in the GLBA and CFIPA, which apply to “nonpublic personal information.” These representatives sought clarity as to how these definitions would work in conjunction to effectuate the exception. For example, they asked whether the exception would only apply to personal information as defined in the GLBA and CFIPA or whether the broader CCPA definition would apply. If the latter, they asked how such PI not originally covered by these laws could be processed “pursuant to” them?
- Notice at Collection. The draft regulations specify that the notice at collection should be “easy to read and understandable to an average consumer,” along with corollary requirements such as using plain, straightforward language and using an attention-getting format, among others (§ 999.395(2)). Multiple speakers requested clarity on these standards, remarking that concepts like “easy to read” and “understandable” are subjective and open to interpretation. Some also requested that the AG provide sample notices that give examples of the types of language expected.
- Timing. Lastly, numerous commentators noted the approaching January 1, 2020, effective date for the CCPA and requested an extension for the compliance deadline. Some remarked that with the December 6 deadline for written comments, the AG’s Office would only be able to release finalized regulations shortly before January 1, if then. Multiple business representatives commented that even with full-blown compliance efforts, the lack of finalized regulations and clarity on some aspects of the CCPA made it effectively impossible for them to be able to fully comply by January. Others noted the financial and administrative burden associated with attempting to comply within such a short time-frame.
Dates and Locations of Upcoming Public Hearings
The AG will hold one final hearing in Fresno on Thursday, December 5, 2019.
Written comments must be submitted by December 6, 2019, at 5:00 pm (PST) via email to PrivacyRegulations@doj.ca.gov, or via postal mail at Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA 90013.
Read our update on the Los Angeles public hearing.