Highlights of CCPA Rulemaking Comments by IAB and ANA
The deadline for comments to the California Attorney General as part of the rulemaking period for the California Consumer Privacy Act (CCPA) has passed and organizations have released some of their comments. Among them is the Interactive Advertising Bureau (IAB), which asked for clarification or rules in 17 different areas. Additionally, the Association of National Advertisers (ANA) identified nine priority issues and eleven key additional issues for the Attorney General to address. There is some overlap between the two.
The California Attorney General (AG) sought public comment around seven areas during its public forum hearings:
1. Categories of personal information.
2. Definition of Unique Identifiers.
3. Exceptions to CCPA.
4. Submitting and Complying with Requests
5. Uniform Opt-Out Logo/Button
6. Notices and Information to Consumer
7. Verification of Consumer’s Request
However, the law does not prohibit the AG from taking action in other areas since it is given broad power to adopt regulations to further the purposes of this title, and the list provided to it by the legislature is explicitly provided without limits.
Among the IAB recommended regulations:
(We have left out a few recommendations of the IAB and ANA from this summary in order to provide some focus for businesses trying to anticipate what regulations may be coming from the AG’s office.)
1. Exclude Employees.
Clarify that the CCPA applies to personal information only when the individual acts in their consumer capacities, and the law does not cover employee data. It points out that the definition of personal information expressly includes “[p]rofessional or employment-related information” and thus the law may be interpreted to cover a resident acting as an employee or independent contractor rather than the traditional understanding of a consumer.
2. Delete or Opt Out in Part.
IAB criticizes the CCPA for giving consumers no ability to select what they would like to delete or restrict from sale as it does not give full control to consumers over their data. The IAB requests that the Attorney General allow businesses that elect to offer granular choices the ability to allow consumers to delete or opt out from the sale of part of their information.
3. Specification about Compliance “At or Before the Point of Collection”
The IAB requests a rule that deems a reference to the privacy policies sufficient to provide information to consumers about their data practices at or before the point of collection. The CCPA does not currently state the methods for such notice. The IAB also asked that a disclosure in the privacy policy of a business which collects consumer information from other businesses is sufficient to meet the CCPA’s reference to “at or before the point of collection.”
4. Clarify Household
The CCPA includes “household” data in the definition of personal information but does not define the term or provide guidance into it. IAB notes that this reference could create privacy concerns by requiring a consumer to provide the information of another household member after a consumer request. IAB suggested that the AG should clarify the information to be provided after a request to only information known about the consumer making the request and information about others in the household if the individual is their authorized representative.
5. Flexibile Consumer Verification
CCPA requires a business to take action on the right to access and right to delete after a “verifiable consumer request”. IAB asks that the AG issue a rule providing that a business may use commercially reasonable methods and if such methods fail then the request may be considered not verifiable. IAB also raised a concern that if information is maintained in a pseudonymized format, it could be difficult to verify the consumer. It would like the rule to provide that businesses do not need to reidentify pseudonymous information.
6. Clarify Explicit Notice
CCPA requires that a third party which receives consumer personal information in a sale from a business not resell it unless the consumer has received explicit notice and an opportunity to opt out. IAB would like the AG to issue a regulation that permits the business selling data to the third party to be able to provide the required explicit notice and the third party to rely on that notice. IAB notes that otherwise the third party may not be able to provide the notice “because they usually have no direct contact with the consumer.” “Without such an interpretation of the law, many products and services in the digital economy are threatened, as the data transfers needed to create or deliver those products could be impeded.”
7. Clarification Around Financial Incentives
CCPA provides that a business may not discriminate against consumers who have exercised their rights unless it meets one of the exemptions. IAB asked the AG to interpret this section as there is no definition of financial incentives and no guidance on either what is “directly related to the value provided to the consumer by the consumer’s data” or what is “unreasonable”. In particular, IAB urged the AG to issue a rule that a reasonable subscription fee may be charged as an alternative to advertising-supported services to consumers who have opted out of data sharing.
8. Allow Additional Business Purposes
The CCPA provides a definition of business purpose with seven enumerated cases and the IAB would like the AG to clarify that they are examples and not an exhaustive list. IAB is concerned that the list is not flexible enough because new business purposes are created in the digital economy and businesses often share information already with service providers for purposes that are not specified in the CCPA. IAB believes such a clarification would align the law with the legislative intent.
9. Backup and Archived Data
IAB requests that the AG declare a consumer request to delete personal information from backup or archival data as “manifestly unfounded” or “excessive”. It would also like clarification around the scope of what is within the ongoing business relationship exemption from the right to delete so that businesses can provide expected subscription messages.
10. Clarify Business Definition
IAB notes that there is no limit on households or devices to those associated with California residents even though the term consumer is explicitly limited as such. IAB also asked for clarification around what it means to “do business” in the state of California.
11. Clarify Extension Period on Consumer Requests
Section 130 suggests that a business may have one extension of 45 days to provide information while Section 145 allows an extension of up to 90 additional days where necessary, taking into account the complexity and number of the requests, notwithstanding the business’ obligation to respond to consumer rights. IAB asks for clarification that both of the extension periods may be invoked by a business.
Association of National Advertisers:
There is some overlap between the ANA and IAB. ANA adds for its priority issues:
1. Preserve Loyalty Discount Programs
The law prohibits discrimination against those consumers who exercise their CCPA rights. However, by exercising the right to deletion or the opt-out right, the ANA contends that the consumer is restricting “the very data that allows them to participate in a loyalty program.” The ANA believes, “Without clarification, many loyalty programs could cease altogether then the CCPA becomes effective.”
2. Clarify Rules for Authorized Representatives
ANA members have received “unauthentic consumer requests by third parties allegedly acting on behalf of consumers under current privacy standards”. The ANA is also concerned that accurate information won’t be provided to the consumer to provide an informed choice. As a result, they have recommended rules that “the authorized representative must properly inform a consumer of their choices and the implications of exercising such choices ….” Also, create “specific requirements for authorized representatives who gather and facilitate consumer CCPA requests” including written authorization detailing the requests to be made, the implications, and how any consumer data will be used.
3. Clarify the Cure Requirement for Security Breaches
ANA has asked the AG to clarify the cure requirements for data security violations. It proposes that fixing the deficient procedures and practices is sufficient when there is no demonstrable harm. For cases of demonstrable harm, the business would need to cure the security procedures and practices as well as provide a process to reasonably reimburse consumers for any actual loss as a direct result of the breach.
The “key additional issues” include:
1. Preserve Ad Measurement and Attribution Activities.
The ANA asked for ad measurement and attribution activities to help refine advertising tactics be classified as an exemption to the deletion right as an internal use and falls within the business purpose of “analytic services” in the exemption from the right to opt out of the sale of personal information.
2. Limit Unintended Impact on Nonprofits
Although the CCPA excludes nonprofit organizations, it is unclear if it applies to businesses when such data will be provided to nonprofits. According to ANA, “Requiring compliance with CCPA rules for businesses that provide data to charities and nonprofits would cripple such entities’ ability to access information in order to further their nonprofit missions.” The ANA asked the AG to clarify that “a business maintained by a business strictly to provide such data to nonprofits, including charities, is exempt from the CCPA’s deletion and opt-out rules.”
3. Ensure the Viability of the Fraud Exception
The exemption to the CCPA’s right to delete around security incidents and protecting against fraudulent activity does not clearly provide for the ability to use data to create anti-fraud products and services. ANA asked for clarity on the scope of this exception so that there would not be an impact on anti-terrorism, anti-money laundering, location of persons in criminal investigations and identity verification efforts.
4. Clarify Operative Ages in the Opt-In Requirement
There is currently an inconsistency around the age with one part providing opt-in consent to those less than 16 years of age and another potentially allowing minors who are 16 years old to opt-in. ANA asked for a definitive rule of children ages 15 and under. This is in line with the request of the Californians for Consumer Privacy in its suggestion of technical amendments to the legislature to bring the law in line with legislative intent.
Additional Thoughts:
The AG website has said that comments would be subject to the Public Records Act, so the submitted comments may be published without a FOIA request. As we receive other comments, we will try to post summaries of particularly helpful or interesting items here on our privacy blog.
Other Relevant Posts:
Next Stop for CCPA Amendments AB-25 and AB-874 is an Assembly Floor Vote
Highlights of the CA Privacy Committee Hearing Yesterday on CCPA Amendments
How to Prepare for CCPA Compliance Given the Uncertain Amendments and Regulations
CCPA Amendments to be Heard in April 23rd California Assembly Privacy Committee Hearing
Senate Judiciary Committee Recommends SB 561, the Expanded CCPA Private Right of Action
Latest on the Proposed CCPA Amendments
AB-25 Proposes CCPA Amendment to Exclude Employees from New Privacy Law
CCPA Regulation Recommendations by EFF to CA Attorney General
CCPA Amendment & Consumer Privacy Bills in California legislature in Feb. 2019
California AG Supports Proposed CCPA Amendments in SB 561
CA Dems Defend CCPA Against Preemption; California Holds CCPA Hearing on Changes
California GOP Defend CCPA Against Federal Preemption
More Technical Amendments Suggested for CCPA; CA GOP Introduce Another Privacy Bill
Advertising & Marketing Groups Send AG Letter Seeking Flexibility on CCPA
More Resources:
Check out the guide Clarip has written on the California Consumer Privacy Act and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.