In The News

Do Calif. AG’s New Regs Exceed Scope of Privacy Law?


02 Dec 2019
Reprinted with permission.

Chris Lyon spoke to Law360 for a story on the California attorney general's draft regulations for implementing the California Consumer Privacy Act (CCPA) and whether they exceed the scope of privacy law.

Chris discussed the issue with the prohibition on treating customers differently if they exercise their rights to have their data deleted or not shared with third parties, with the restriction dealing a blow to popular services such as loyalty programs that are premised on consumers’ exchange of information for benefits. The restrictions may “lead down the path of treating personal information as a mere commodity, which seems contrary to the original intent of the CCPA, which would be burdensome for both customers and consumers.”

“Many companies were disappointed that the draft regulations didn’t provide more or better guidance about how to authenticate a requestor’s identity before granting access to a consumer’s personal information,” Chris said about the additional issue of verifying the identity of consumers making data requests. The regulations “give no indication of how to select those ‘reliable’ data points, or what to do if a company has only data points that would be fairly easy for anyone to find, such as name and home address.”



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.