Chris Lyon spoke to Law360 for a story on the California attorney general's draft regulations for implementing the California Consumer Privacy Act (CCPA) and whether they exceed the scope of privacy law.
Chris discussed the issue with the prohibition on treating customers differently if they exercise their rights to have their data deleted or not shared with third parties, with the restriction dealing a blow to popular services such as loyalty programs that are premised on consumers’ exchange of information for benefits. The restrictions may “lead down the path of treating personal information as a mere commodity, which seems contrary to the original intent of the CCPA, which would be burdensome for both customers and consumers.”
“Many companies were disappointed that the draft regulations didn’t provide more or better guidance about how to authenticate a requestor’s identity before granting access to a consumer’s personal information,” Chris said about the additional issue of verifying the identity of consumers making data requests. The regulations “give no indication of how to select those ‘reliable’ data points, or what to do if a company has only data points that would be fairly easy for anyone to find, such as name and home address.”