California AG Holds First Public Forum for CCPA Rulemaking in San Francisco
On Tuesday January 8, 2019, the California Attorney General (in conjunction with its parent organization the California Department of Justice) completed the first of six public forums on the California Consumer Privacy Act (CCPA) that will happen in California in January and February. The forum offered speakers in San Francisco five minutes to comment on aspects of the CCPA, California’s new privacy law.
There were over 100 people in attendance as photographs of the event showed a packed room (over 150 according to one report). There had been some speculation that the AG’s office might provide remarks about the CCPA law at the beginning of the process or perhaps take questions. However, neither happened. Government representatives explained the purpose of the hearing and asked for comments on the areas identified by the CCPA for the development of AG regulations. Comments were received from 14 people and the hearing ended after about an hour when no further public comments were offered. The forum was originally scheduled to last three hours.
Among the topics which the Attorney General has been asked to offer regulations and is seeking public comment/discussion are:
1. Categories of personal information.
2. Definition of Unique Identifiers.
3. Exceptions to CCPA.
4. Submitting and Complying with Requests
5. Uniform Opt-Out Logo/Button
6. Notices and Information to Consumer
7. Verification of Consumer’s Request
We have reviewed initial reports of the comments/questions that were made at the forum. Commenters were advised that the statements would be transcribed by the Government. As the website indicates that any information provided will be subject to the Public Records Act, a full transcript of the comments made could be available later. Here are indications of the subject of the comments based on online reports:
– Are the threshold requirements – $25 million annual revenue or data on 50,000 consumers – limited to California revenue and consumers or are they triggered by global revenue and consumers. For example, the question posed was whether 1 consumer from California and 49,999 from outside California was enough to trigger the law.
– Are businesses that do not initially meet the requirements but fall within the law’s definition of a business later required to immediately comply or will there be a phase-in period for them?
– There were several suggestions to narrowing the definition of “sale”. One way was by excluding third-party ads from the definition.
– There was commentary on the law’s applicability to employees, particularly around narrowing the definition of “consumer” to exclude employees and the need to exclude data concerning workers compensation.
– There were several comments around whether the definition of personal information should include IP addresses, AdIDs and inferences drawn for consumer profiles.
– Whether the necessity to provide personal information as part of the right to access would require companies to link data to individuals that would not otherwise be linked.
– The deidentification standard is tough to meet as written in the law, unless it is aggregated.
– The creation of safe harbors for businesses under the laws. This included a suggestion for a template privacy notice and safe harbor for businesses that voluntarily adopt it.
– The implications for user experience (UX) of a single opt-out logo or button for every webpage.
– How the law addresses loyalty programs
– The implications on low income populations offering different levels or prices of goods/services to individuals who opt out of the sale of personal information.
– One commenter asked the Attorney General’s office to reference the NIST security standards as best practices for businesses for the consumer’s private right of action.
Individuals seeking to participate in the process can attend one of the remaining public forums. There are still five left with the next one scheduled for Monday January 14th in San Diego. There is an RSVP form on their website at https://oag.ca.gov/privacy/ccpa if you wish to attend as well as a question on the forum about whether you would like to speak.
The California Attorney General’s office is also accepting written comments:
– By email to email@example.com
– By mail to: CA-DOJ, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013
It was reported on Twitter by a private individual that the California Attorney General’s Office was hoping to have a draft of the regulations available for comment by the middle of the year, so comments should be submitted by late February or early March at the latest.
Other Blog Posts on the California Consumer Privacy Act:
Debate Over CCPA Amendment Heats Up as Business Preparations Ramp Up
New Mexico Privacy Bill Copies CCPA – Consumer Information Privacy Act Introduced in NM Legislature
CCPA Rulemaking Public Forums Announced by California Attorney General
CCPA Compliance Note: The Lookback Period Starts on January 1, 2019
A Sale for Valuable Consideration Under California’s CCPA Defined
Consumer Organizations Defend California Consumer Privacy Act (CCPA) in Letter to Legislators
California AG Tells Congress Not to Preempt California Privacy Law
CCPA Privacy Lawsuits Implicated in United States Challenge to Injury Standing in Frank v. Gaos
PWC Survey on CCPA: Enterprise Compliance Expected at 52% by January 1, 2020
California Adopts SB-1121 Amendments to Consumer Privacy Act
Contact Clarip for Help with Your Privacy Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.