Businesses express concerns with CCPA at public forum

On Friday, the California attorney general's office hosted a public forum at the Ronald Reagan Building in downtown Los Angeles regarding the California Consumer Privacy Act of 2018. The CCPA tasks the attorney general with promulgating rules and regulations related to the implementation of the legislation. The purpose of the forum was to solicit public comment on the CCPA as the attorney general enters the initial, informal phase of its rulemaking process. This hearing was the fourth of seven such events being held across the state in first quarter of this year. The meeting was attended by representatives from the attorney general's office, including attorneys in both the privacy and consumer law sections, as well as approximately 100 members of the public.

Approximately 20 members of the public offered comments at the forum, the majority of whom were representatives of businesses or trade associations likely to be subject to the CCPA. A handful of consumer privacy advocates also voiced their views. During the course of the comments, a number of concerns came into clear focus.

Business representatives requested that the attorney general's regulations clarify a few key terms and provisions. According to several speakers, the scope and meaning of the term "sell" in particular needs further clarification. The CCPA provides consumers with the right to request that a company stop selling their persona information. Several people expressed a concern that the CCPA's definition of "sale" as the exchange of data "for monetary or other valuable consideration" is too broad. Given use of the term "valuable consideration," any exchange of personal data under an agreement where the transferring party receives a benefit to which it would not otherwise be entitled may be considered a "sale" under the CCPA. Multiple speakers explained that, under this definition, disclosures to a service provider may be deemed a "sale" absent further clarification from the attorney general's office.

Speakers also expressed the need for guidance regarding the calculation of the revenue threshold in the CCPA. Among the businesses subject to the CCPA are businesses with "annual gross revenues in excess of twenty-five million dollars." Several commentators observed that important details regarding the calculation of revenue for this purpose remain unspecified. For example, is the relevant revenue figure worldwide or is it limited to California revenues? Similarly, does the revenue have to be attributable in some manner to the sale of personal information? Businesses want further clarification so they can determine if they are subject to the requirements of the CCPA.

The opt-out procedure required by the CCPA emerged as an area needing further specification. The CCPA expressly requires that companies provide a clear link on their homepages labeled "Do Not Sell My Personal Information." Given the broad statutory definition of "sell," some businesses expressed the concern that the language of the required link would cause customer confusion regarding how the businesses actually use the consumer's personal information. Some advocated replacing the textual link with a standardized logo that all companies would be required to use. Consumer advocates stated that completion of the opt-out procedure should be streamlined and not buried under a multitude of page clicks.

A number of speakers expressed concerns with the verification requirements under the statute. The CCPA grants the consumers the right to request certain specified disclosures related to their personal information, including what data has been collected and the source of that information. Before responding to such a request, however, businesses must first verify the identity of the individual making the request. As several speakers pointed out, responding to disclosure requests necessarily poses its own data security risks, and companies are not all equally positioned to verify personal data requests. Some businesses subject to the CCPA will have extensive databases of detailed information, making verification relatively simple and certain. Others will only have collected small amounts of information (such as a device identifier), making verification all but impossible without gathering additional information from the consumers submitting the request. Given these variances, speakers suggested that the verification process should be "flexible" and account for the nature of the relationship between the consumer and the company. Others recommended that the attorney general issue regulations specifying "commercially reasonable" efforts necessary to satisfy the verification requirement. Still another speaker proposed that the attorney general's regulations authorize the use of credit bureaus as part of the verification process.

In addition to these concerns, speakers raised issues related to nondiscrimination requirements, safe harbor provisions for compliance with Europe's General Data Protection Regulation and various federal data privacy statutes, and the minimum level of data security required.

Representatives from the attorney general's office did not respond to any of the comments, consistent with the adopted procedure at this informal stage of the process. Previous forums had been held in San Francisco, San Diego and Riverside, and future forums are scheduled in Sacramento, Fresno and Palo Alto. The attorney general's office is encouraging interested parties to submit written comments during this phase as well. According to the schedule outlined at the meeting, the attorney general's office anticipates publishing its notice of proposed rules in in the fall, thus opening the formal round of rulemaking with an additional period of public comment.