When California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law on June 28, 2018, there was broad agreement that revisions and clarifications were necessary. The CCPA was written and enacted with extraordinary speed, as legislators felt the need to move quickly in order to preempt a data privacy ballot initiative that had received enough signatures to be placed on California’s November ballot. Consequently, June 28 was, in many ways, the beginning of a debate over the specifics of the CCPA, rather than the end. Indeed, the California legislature has already passed a “clean-up” bill to address concerns expressed about the CCPA, and heated debates over the meaning and merits of specific provisions continue.
Against this backdrop, and with less than a year before the CCPA goes into effect on January 1, 2020, eyes are now increasingly turning to the California Attorney General (AG). The CCPA mandates that the AG “solicit broad public participation and adopt regulations to further the [CCPA’s] purposes,” including with respect to seven specific focus areas, before July 1, 2020. Given the public interest in, and lingering questions about, the CCPA, this rulemaking is eagerly anticipated, and the AG’s Office has consequently decided to host a series of public forums throughout the state in order to collect stakeholder input.
While it’s of course still too early to tell how the AG’s regulations will ultimately shake out, these forums nonetheless are valuable indications of what may be to come as businesses wrestle with several key questions for CCPA compliance. What provisions might the AG regulations address? What other provisions might they address, such that compliance efforts should be careful not to get too far ahead of the regulatory clarification? What are the next steps? The forums won’t likely provide definitive answers, they will likely provide some of the best information available.
What will the regulations necessarily cover?
At the outset of forums, attorneys from the AG’s office are emphasizing that its rulemaking process will focus on the seven specific items listed in the CCPA, see Cal. Civ. Code § 1798.185(a):
- Categories of Personal Information. Updating as needed additional categories of personal information to those enumerated in the bill in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
- Definition of Unique Identifiers. Updating as needed the definition of unique identifiers.
- Exceptions. Establishing any exceptions necessary to comply with state or federal law, including but not limited to those relating to trade secrets and intellectual property rights, within one year of passage of this title and as needed thereafter.
- Rules for Opt-Out of Sale. Establishing rules and procedures governing requests from consumers to opt-out of the sale of personal information, including through the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out.
- Inflation-adjustment of Monetary Coverage Threshold. Adjusting the monetary threshold governing what businesses are covered by the Act.
- Rules for Notices and Information. Establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this title are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer, including establishing rules and guidelines regarding financial incentive offerings.
- Rules for Verifying Customer Requests. Establishing rules and procedures to govern a business’s determination that a request for information received by a consumer is a verifiable consumer request.
What other issues might the Attorney General’s regulations address?
Participants at the forums have commented on a wide range of topics, many of which fall outside the seven statutorily-mandates subjects of rulemaking. Since the AG’s office did not respond to comments at the forum, we don’t know how the AG is thinking about these issues or even if the regulations will necessarily address them. But the comments nonetheless provide some insight into what the AG’s office may be considering:
Clarification of What Business Activities Trigger CCPA. The CCPA only applies to for-profit entities that “do business in the State of California,” Cal. Civ. Code § 1798.140(c)(1), but several forum participants noted that this important phrase is not defined in the statute, nor is there a definition in other parts of California law that obviously applies. Participants thus repeatedly requested that the regulations provide clarity on this issue, particularly on the type of California contacts that would subject a business to CCPA jurisdiction. Speakers also urged for the regulations to clarify if the numerical thresholds for a business to fall within the Act’s coverage – i.e., the thresholds of having more than $25 million in revenue or annually receiving personal information on 50,000 or more “households” or “devices” – must have a California nexus (e.g., revenue originating in California), id. § 1798.140(c)(1)(A) and (B).
Non-Discrimination Should Not Preclude Charging a Reasonable Fee for Access to Content. Participants at both sessions focused on the CCPA’s requirement that businesses not “discriminate” against consumers who opt-out from having their personal information sold or shared. See id. § 1798.125(a). These commenters noted that the sale of such data makes it possible for businesses – especially smaller publishers – to provide online content free of charge, and they thus urged the AG’s office to, consistent with the statute, specify that businesses can charge a reasonable fee to consumers who exercise their right to prevent their data from being sold to third parties, yet continue to want unrestricted access to business’ online content. See id. § 1798.125(a)(2) (allowing a different rate to be charged to consumers who opt-out if it is reasonably related “to the value provided to the consumer [sic] by the consumer’s data”).
What About Employees? Speakers also asked for clarity about how the CCPA requirements will apply to employee personal information collected in connection with routine human resources processes. They noted that, while nominally the statute is known as the “consumer” privacy act, there is nothing in the text of the statute that indicates the data disclosure requirements do not apply to a business’s collection of employee information, which presents notably different policy considerations.
Differing Views on Personal Information. Given that the statute requires the AG to address the definition of personal information, it is unsurprising that it was a hot topic during the forum sessions. On the one hand, consumer groups advocated to keep the definition of personal information as broad as possible. Several industry-focused speakers, on the other hand, urged that the definition be refined to reflect what they saw as the technological and practical constraints of data identification. For example, while an IP address may be “capable” in the abstract of being associated with an individual and thus potentially encompassed within the definition of “personal information,” in practice, a dynamic IP address might be assigned to multiple users over the course of time, making efforts to associate the IP address with just one user or consumer extremely difficult, time-consuming and expensive.
Indeed, citing the high cost of compliance, several industry speakers suggested changing the definition of personal information to mean only sensitive types of personal information – e.g., name, email, fingerprints, medical data – that can be used to readily identify an individual. Others requested that the definition be changed to the more narrowly-tailored definition used in the data breach section of the Act and other California data privacy laws. And several speakers from the financial services industry asked that the Attorney General clarify that banks and other financial institutions’ incidental receipt of personal information during the course of a transaction is exempted from the Act’s coverage.
Verification of Consumer Requests – Clear Rules and Exempt Weak Identifiers. Consistent with the requirement that the AG issue further guidance on verifying customer requests, a number of speakers requested that the regulations describe verification “best practices” to provide businesses with needed guidance. In drafting such best practices, commenters asked for the AG’s office to be mindful of situations in which personal information collected may not be easily associated with a consumer without the collection of additional data. For example, a company might track a user’s web browsing to facilitate online advertisements, but not link the data to a specific consumer. In such a case, speakers urged regulators to not require additional data be collected for the sole purpose of associating the IP address with a particular consumer. Industry representatives also highlighted the burden that compliance with data requests could place on smaller businesses, and requested that the AG consider taking into account the size of a business.
Reimagining the “Do Not Sell My Personal Information” Link. Another of the mandatory rulemaking topics – the link enabling consumers to opt out of the sale of their data – was a topic of discussion during the forums. Several speakers endorsed the idea of using an icon similar to the “Ad Choices” symbol used in digital advertisements. They noted that such an icon – rather than the “Do Not Sell My Personal Information” link the statute appears to proscribe – would be preferable because, among other things, the “do not sell” language imperfectly describes the scope of the opt-out. (The CCPA’s expansive definition of the “sale” or “selling” of personal information includes over 10 definitions of “sell” including disclosing, disseminating or simply communicating personal information for money or “other valuable consideration.” Cal. Civ. Code §1798.140(t)(1).) Consumer groups emphasized that whatever mechanism is used to facilitate opting out should be simple and transparent and not require consumers to wade through layers of permissions or disclosures in order to exercise their rights.
Safe Harbors and Concrete Guidance. Finally, and more generally, industry stakeholders repeatedly requested for the regulations to provide concrete examples of how businesses can comply with various CCPA provisions. While such guidance would be appreciated across the board, specific examples that were raised in particular include: templates for opt-out notices and consumer data requests; directions on how to screen for children and teens, given the Act’s provisions requiring affirmative authorization to sell the personal information of individuals known to be under 16 and deeming willful disregard of a consumer’s age as actual knowledge; and directions on how to synthesize the overlapping obligations of California and federal regulations that govern data privacy but were not expressly preempted by CCPA (e.g., California’s Shine the Light law).
What are the next steps?
The recent public forums are only part of the AG office’s information gathering efforts – it has also invited written comments from stakeholders both by mail and through their dedicated CCPA email address (PrivacyRegulations@doj.ca.gov) by March 8, 2019. Given the public interest in this topic, it is likely that the volume of feedback will be substantial. Nonetheless, the AG has emphasized that it is aiming to issue draft regulations in Fall 2019.
This timing may help address an anomaly in the bill. The CCPA enters into force on January 1, 2020, but doesn’t require the AG to finish his rulemaking until six months later, on July 1, 2020. In other words, the Act technically requires businesses to comply with its provisions six months before the AG is obligated to provide guidance on how they must do so. Thus, while these draft regulations may not be finalized by the time the CCPA enters into force, and will of course be subject to change, they nonetheless may provide practical guidance on what is necessary to comply with the Act.