New privacy rules hard for all to follow, speakers say

SACRAMENTO — About 100 people packed a conference room near the state Capitol Monday morning to weigh in on California’s new data privacy regulations and to warn of potential costs and litigation risks.

The hearing at the CalEPA Building was the first of four this week organized by the California Department of Justice. The regulations enforcing AB 375, the 2018 state law also known as the California Consumer Privacy Act, were released Oct. 10.

The law was intended to give consumers more power over who collects their data and how it is used. There were seven panelists on hand to hear the comments, mainly attorneys with Attorney General Xavier Becerra’s office who worked on the regulations.

Those speaking came from a variety of backgrounds, from business to non-profits. But one consistent theme emerged: the need to make the law easier for companies and other organizations to follow.

Fittingly, the event began with a technical glitch. The microphone kept shutting off as the first speaker tried to deliver his comments until he finally said, “I don’t think it’s me.”

That speaker — Mark Vinella, vice president of risk management at Travis Credit Union — went on to make a serious point.

“The proposed regulations require the notices are easy to read and understandable by the average consumer,” he said. “However, this is subjective and did not contemplate a method or metric to assess readability.”

Vinella noted the law calls on companies to provide notices, such as “notice at or before collection, notice of right to opt out, notice of financial incentives.” He urged the attorney general’s office to create standardized forms businesses can copy to make sure they comply with the law, adding his industry has found these valuable in adhering to other kinds of complex consumer regulations.

“It is of great value when regulatory agencies provide model forms and notices for our use,” Vinella said. “They ensure a consistent consumer experience. They provide a safe harbor for complying organizations against regulatory criticism or legal action.”

Speaking on behalf of the pro-business Civil Justice Association of California, lobbyist Mike Belote asked that the regulations include more guidance as to how companies can fix violations once they discover them.

“In terms of an issue not covered by the regulations, but which we think might head off litigation risk, is this issue of cure,” Belote said.

Belote noted the original sponsor of the legislation, real estate investor Alastair Mactaggart, has included more regulations on how companies can fix violations of consumer privacy in a 2020 voter initiative he has proposed. Mactaggart dropped an initiative effort in 2018 in a compromise that aided the passage of AB 375.

Kris Rosa, lobbyist for the Nonprofit Alliance, said the privacy act could inadvertently harm underfunded charitable and advocacy organizations by making it more expensive to learn about potential donors.

“Costs to reach new individual donors will increase,” Rosas said. “Access to data is of the utmost importance to the survival of nonprofits, as it is the primary method by which we connect to prospective donors.”

Brent Blackaby urged the regulations fix many of the problems that have come up with the law on which the privacy act is largely based: the European Union’s General Data Protection Regulation, implemented last year. Blackaby, co-founder of Confidently.com, a San Francisco company that sells tools to help consumers protect their data privacy, said the regulations should make it more clear how consumers can file complaints.

“Based on the recent concern from the GDPR in Europe, most of the privacy officers that we’ve talked to there report receiving a handful of data access requests every week, even while they’re serving millions of consumers,” Blackaby said. “We believe this is not because consumers don’t want to but because the process is in many respects very arduous and arcane.”

Heather Smith, president of the Sacramento chapter of the American Advertising Federation, lamented the hearings are taking place less than a month before the law goes into effect on Jan. 1. This is despite that the law was written with a one-year delay to allow for the regulatory process to play out.

“The proposed rules have introduced several brand new obligations that were not contemplated or expressed in the CCPA itself,” Smith warned. In particular, she pointed to the law’s “single browser opt-out mechanism.” Under this rule, if consumers choose the opt-out feature in their browsers, it could create obligations to protect that data by third parties that have no way of knowing the consumer made that choice.

The hearings continue Tuesday morning at the Ronald Reagan Building in Los Angeles. The committee will meet at the Milton Marks Conference Center in San Francisco on Wednesday and the Hugh Burns Building in Fresno on Thursday. All hearings are scheduled at 10 a.m.