California AG Faces Criticism of Draft Regulations at Los Angeles CCPA Hearing
From December 2 to December 5, 2019, the California Attorney General (AG) is conducting a marathon 4-days of public hearings on its draft regulations implementing the California Consumer Privacy Act (CCPA), and Wiley Rein is in California covering the hearings for the firm’s clients around the world. The Wiley Rein Privacy team attended the hearing in Los Angeles (LA) on December 3, and will cover the San Francisco hearing on December 4. The team is hosting a happy hour after the San Francisco hearing on Wednesday, December 4; please feel free to join for color commentary.
The testimony at the LA hearing, as detailed below, confirms what the team has been seeing for the past year — the hastily drafted CCPA presents major compliance challenges for businesses across the country. And while the AG had the opportunity to clarify the law’s confusing aspects, unfortunately the draft regulations in many cases will make compliance even more complicated. At the same time, businesses are left without concrete, practical guidance on key points such as consumer verification (something other laws, like recent draft federal legislation, may try to clean up).
The hearing in LA, on December 3, drew diverse stakeholders, including the financial services sector, the advertising sector, and multiple security, privacy, and legal professionals. The testimony touched on many of the challenges of CCPA compliance that have been consistently flagged by industry and commentators. Hopefully the AG will heed these calls for clarity. For example:
- Notice Requirements. The CCPA imposes strict notice requirements on businesses. The draft regulations added new requirements, not included in the statute, that are complex and prescriptive, not to mention confusing. At the LA hearing, there were multiple calls for the AG to provide a model or template for its required notices. Others warned that these additional notices will be confusing to consumers. This was a concern generally (as there will be new links for consumers to follow and information repeated across notices) but also particularly for those entities, like financial institutions, that are covered by other broad privacy regimes. Still others noted the difficulty in managing the new disclosure obligations under California law in coordination with existing requirements such as CalOPPA. There were also concerns raised about when a business has to post certain notices, specifically the Notice of the Right to Opt-Out.
- Responding to Consumer Requests. Together with the draft rules, the CCPA will require businesses to respond on tight timelines and through very specific procedures to requests submitted by consumers or authorized agents that range from narrow to broad. There are different timelines for specific requests — some require confirmation of receipt within 10 days, some require action within 15 days, and some require action within 45 days (with the option for a 45-day extension). There are also different content and security requirements based on the type of request a business is dealing with. Testimony at the LA hearing called for these response requirements to be streamlined. Questions were also raised about how to comply with these complex and prescriptive requirements. For example: How should a business securely transmit responses? What is a business’s obligation to remind a consumer to confirm a request (in the select instances where such confirmation is required)? Concerns were raised that it would be difficult for organizations to respond in the timeframes given, especially where data is not stored locally. Of note, one person called out a provision in the draft regulations that requires an unverified “request to delete” be treated as a “request to opt-out,” explaining that this is not a requirement in the statute and may put businesses at risk for cyber attacks.
- Verification Standards. The CCPA requires verification of certain types of consumer requests and the draft regulations detail how companies should go about such verification. Testimony at the LA hearing warned of the difficulty of verification and the risks of releasing information using minimal verification, especially when businesses have very little information about a consumer.
- Security Standards. The CCPA establishes a private right of action in the case of a breach of a limited set of personal information caused by a “business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Testimony at the hearing asked the AG to adopt minimum reasonable security practices based on National Institute of Standards and Technology (NIST) work.
- Flow Down Requirements and Role-Specific Obligations. It is clear that there is still confusion regarding what obligations flow down to various service providers and third parties, and what those various entities are obligated to do. For example, several hearing participants asked for clarification of a third party’s obligations when a business shares with that third party a deletion request from a consumer. These participants raised the issue that requiring a third-party to stop selling the personal information of a consumer that has opted-out may violate contractual provisions between the parties. Other participants addressed the extreme difficulty that certain types of businesses that collect information indirectly could face in trying to comply with the notice or attestation requirements proposed by the AG.
- Employee Data. In light of recent amendments to the CCPA that created a limited (both in scope and time) exception for employee data, participants at the LA hearing testified that more clarity is needed from the AG on this issue. Specifically, clarity and guidance was requested for what type of notice employers must provide employees, given that the partial exemption for employee data does not extend to all notice requirements.
- Financial Incentive Programs. The CCPA’s broad non-discrimination provisions risk disincentivizing financial incentive programs, which many consumers value. Testimony at the LA hearing noted that the draft regulations around financial incentive programs are unwieldy and difficult to implement — and that the valuation requirements contemplated by the AG go beyond the statute.
- Unintended Reach. Several participants raised concerns that the breadth of the law may expand its reach to unintended companies — in particular, small businesses that do not meet the revenue threshold but may collect annually the personal information of 50,000 or more consumers by collecting the IP address of users of their website. Participants argued there should be an exception for these small businesses where the only “personal information” collection is an IP address.
- GLBA. Several participants asked for clarification of how the law will apply to companies otherwise subject to the Gramm-Leach-Bliley Act. Specifically, the CCPA is written so that certain information that is subject to the GLBA is exempt from the CCPA, but participants argued that the exemption should be interpreted broadly to avoid applying inconsistent standards on financial institutions.
- Definitions. An often-repeated complaint about the CCPA is its broad definitions. The hearing in LA was a platform for these objections. One person testified that the definition of “sale,” in particular, the notion of “valuable consideration” was ambiguous, requesting more clarity from the AG. Others agreed that the issues surrounding consideration and when it triggered the heightened CCPA requirements was significant for businesses. There were also concerns raised about other definitions, including the definition of “household” and the key definition of “personal information.”
The Wiley Rein Privacy team expects similar concerns to be raised at the remaining hearings and in written comments, which are due on Friday, December 6. San Francisco’s hearing may generate more participation by privacy advocates and others inclined to push the AG to make the law even more demanding.
Among all the confusion from the CCPA and its regulations, one thing is clear: businesses (to the extent they have not already) have a lot of work to do to operationalize this law, and not a lot of time left to do it. Tasks confronting companies include updating policies; drafting new notices; creating mechanisms to enable consumers to seek access, deletion, and opt-out rights; creating procedures for responding to such requests; updating websites; reviewing and revising vendor contracts; and more.
If your company needs CCPA help, feel free to reach out to anyone here on the Wiley Privacy Team.