California’s Office of the Attorney General (AG) held yet another public forum to discuss the new Consumer Privacy Act (CCPA) in San Diego on Monday. Below are my observations on several main topics discussed during the forum.
Editor’s Note: This was the second of the six scheduled public forums; a summary of the first forum can be found here.
Definitions and Standards
The key issues at yesterday’s forum centered around definitions in the statute and what information might be scoped within the law’s definitions. Cyber security experts, who made up the majority of the audience, strongly recommended deferring to industry definitions published by the National Institute of Standards and Technology (NIST) in Special Publication 800-122. One of the cyber security consultants brought up that if CCPA’s definitions and standards are vague and inconsistent with NIST standards, an issue arises with general liability insurance carriers about what would and would not be insurable risks. This would create a heyday for litigators and uncertainty about liability.
Consumer groups like Consumer Watchdog stated that the ARM industry’s view of data sharing, collection and sale today is at best “quaint” and that the broadest possible interpretation is advisable. Consumer groups also want more opportunities for private causes of action to protect consumers in instances where businesses provide disclosures that simply aren’t packaged in a way that consumers’ permissions would truly be considered “knowing.”
It is essential to prepare and submit any comments before the end of February. The AG’s office is having court reporters capture the testimony provided at the hearing and will then consider that in addition to the submitted comments. Written comments should be sent to PrivacyRegulations@doj.ca.gov or mailed to:
ATTN: Privacy Regulations Coordinator
300 Spring Street
Los Angeles, CA 90013
At this time, the AG’s office will neither comment nor respond to input from the public. After February, the AG’s office will craft a notice of proposed rulemaking – expected by or in September and thereafter will hold televised public hearings. Following this, a final notice of rulemaking would occur. There was no discussion of phasing in enforcement dates, go live dates, or whether model or safe harbor disclosures would be offered.
The ARM industry has an opportunity to make a case for showing that compliance with particular laws such as FCRA, GLBA and HIPAA -- specifically cited in CCPA -- already define guardrails for the collection and use of consumers’ data, possibly justifying an exemption for the industry under CCPA. This seems to be a critical opportunity for industry.
Working with the AG’s Office
The two deputy AGs spearheading the work on CCPA indicated they welcome input from industry groups that have interacted with consumer groups, particularly if it indicates some understanding of key areas of agreement and key areas of difference.
Roughly 100 people were present, the majority of which were cyber security professionals. No other ARM industry professional was present.
Potential Legislation in Other States
It is clear that there is considerable activity in various state legislatures about similar privacy legislation for the coming year in response to the Cambridge Analytica situation. Other key states to watch include (but are not limited to): Oregon, Washington, Massachusetts, Maryland, New Mexico, New York, Florida, and Nevada.
Stay tuned -- the next open forum is on Thursday, January 24, at the Cesar Chavez Community Center in Riverside, Calif.