As the 45-day period for public comments on proposed regulations to implement the California Consumer Privacy Act (“CCPA”) draws to a close (comments must be submitted by 5:00 pm Pacific time on December 6), we share this report from the second of four public hearings that the Attorney General’s Office is holding this week. Deputy Attorney General Nick Akers, joined by three colleagues from the AG’s Office, presided over the hearing, which was held on December 3 in Los Angeles. Mr. Akers made it clear from the outset that the AG’s Office was in listening mode and would not engage in dialogue or answer substantive questions during the hearing.
Two dozen speakers took advantage of the AG Office’s attention to present a broad array of concerns about – and request changes to – the proposed regulations. The overwhelming majority of speakers discussed operational and practical challenges that they would face if required to implement the regulations as proposed; there were few speakers representing consumer or advocacy groups. Below are some of the main themes that emerged from the hearing.
- Modify the Notice Requirements for Onward Sale of Data. Speakers representing data brokers, online directories, people search services, and similar services urged the AG to rethink proposed subdivision 999.305(d). This provision would excuse a business that “does not collect information directly from consumers” from the obligation to provide notice at the time of collection, but it would require such businesses to take one of two actions prior to selling personal information obtained indirectly: (1) provide direct notice to consumers of their right to opt out of sale; or (2) confirm that the source provided such notice, and obtain the source’s signed attestation to that effect.
Speakers asserted that these requirements are unworkable and potentially unconstitutional. A better route, they argued, is to rely on general privacy policies, the right to opt out of sale, and the data broker registry mandated under AB 1202 to provide consumers with transparency and control.
- Limit Do Not Sell Requirements. Speakers presented three main objections to the AG’s proposed implementation of the right to opt out of sale. First, these speakers objected to the “downstream notice” requirement (subdivision 999.315(f)) – which would require businesses to send opt-out requests to third parties to which they sold information within 90 days before receiving an opt-out request – arguing that the CCPA does not authorize such a requirement, and that it will require companies to breach lawful, existing contracts. A second objection to the downstream notice requirement is that it will, in effect, impose the opt-out requirement on entities that are not subject to the CCPA and require all entities involved in a given request to respond on an unrealistically short timeline. Finally, at least one speaker argued that the regulations should permit businesses to respond to opt-out requests received from the “Do Not Sell My Personal Information” link or browser-based opt-out signals but should not require the ability to respond to both.
- Provide Additional Guidance About Verification and Data Security. Speakers representing a broad array of interests argued that the proposed regulations create the potential for abuse by fraudsters, identity thieves, and other bad actors. For instance, the direct notice requirement would likely create a flood of notices, providing perpetrators of imposter schemes with an opportunity to send fraud-related requests for consumers’ personal information with legitimate notices. Others criticized the AG’s proposal (subdivision 999.313(d)(1)) to require businesses to treat unverifiable deletion requests as requests to opt out as an invitation to opt out of sale on the ground that it will invite bot attacks that have the effect of opting many consumers out of the sale of personal information.
- Ease Burdens on Small Businesses. Small business owners and representatives asked the AG to consider ways to reduce regulatory burdens on small businesses. For instance, one suggestion was to exempt business from CCPA obligations if they meet the definition of a business only because they collect IP addresses – and no other personal information – from 50,000 or more consumers annually.
- Clarify Exemptions for Nonprofits, Financial Institutions, and Employers. Representatives of credit unions sought clarify about whether, and to what extent, the CCPA applies to them. One speaker noted that many credit unions are organized as nonprofits but, as mutual benefit corporations, operate for the benefit of their members and therefore could qualify as “businesses” under the CCPA. Others asked the AG to clarify the scope of the CCPA’s exemption for personal information collected under the Gramm-Leach-Bliley Act and California Financial Information Privacy Act, arguing that the AG should take a broad view of the exemption to prevent consumers from receiving additional – and potentially confusing – notices from financial institutions. Finally, representatives of employee benefits administrators recommended that the AG provide guidance that broadly defines benefits that fall within AB 25’s exemption.
We will closely monitor subsequent stages of the AG’s CCPA rulemaking process. Please contact any member of Kelley Drye’s Privacy team if you have any questions.