On December 2, 2019, in Sacramento, the California Attorney General (AG) kicked off its first public hearing collecting comments for its proposed regulations to the California Consumer Privacy Act (CCPA). There were approximately 12 different commenters, which is remarkedly less than the previous CCPA public hearing in Sacramento. Although the comments were few, one theme was clear. Organizations support increasing consumers’ privacy rights, but the proposed regulations have done little to help businesses and service providers operationalize many aspects of the CCPA.
Disclosures and Requests for Model Notices
Some expressed concerns that the proposed regulations will create confusion for consumers. They stated that consumers are overwhelmed with information and want short and simple notices and disclosures as opposed to the robust and lengthy notices and disclosures required by the CCPA. For example, one commenter explained how there are dozens of purposes for which a company collects information, and having to list all of them is going to be arduous. Representatives from financial service industries, including credit unions and banks, explained how it would be helpful if the AG published model notices and disclosures. Model notices and disclosures would serve many purposes, such as helping consumers have a more consistent experience across organizations, provide safe harbors for businesses, and reduce the burden organizations are having in interpreting and adapting the CCPA’s requirements.
Disclosures During Telephone Calls
One commenter pointed out that the proposed rules assume that the required notices and disclosures will be provided in writing (see § 999.305(a)(2)); however, what if the information is collected orally? How should a business provide required notices and disclosures when it collects information through a telephone conversation? Does the business collecting that information have to list all the categories of information verbally?
Speaking of telephone conversations, many businesses record telephone conversations. Since audio may be considered personal information under the CCPA, does the business now have to provide call recordings at the consumer’s request, and if so, how should the business provide those recordings to the consumer?
Requests to Delete v. Opt-Outs
Others expressed concerns about how the proposed regulations instruct companies to treat a request to delete if they cannot verify it as a request to opt-out of a sale (see § 999.313(d)(1)). They felt the right to delete should not be conflated with the right to opt-out. They also raised concerns about practical and technical challenges posed by allowing consumers to opt-out via user-enabled privacy settings and plugins (see § 999.315(a)).
Confusion about Party Designations
One commenter stated that the CCPA’s treatment of “business” versus “service provider” versus “third party” is so complicated that it can prevent legitimate data sharing between businesses. Another commenter stated concerns around requiring service providers to process and respond to requests for information and requests to delete information. How is a service provider—such as Salesforce, for example—supposed to know what it should or should not delete when it is simply holding information for its customer?
CCPA Not Scalable
A few comments focused on the lack of scalability the CCPA poses for both consumers and businesses. For example, consumers will have to potentially make hundreds of individual requests for information to each business and/or service provider they know may have their personal information. This would also require consumers to follow numerous different verification procedures to have their requests treated as a “verifiable consumer request” under the CCPA. This could prove daunting to consumers.
Additionally, the CCPA may prove burdensome for companies. Looking at the GDPR for lessons learned, some companies in Europe report having to process hundreds of requests for information received in a week. One commenter asked the AG to change its proposed rule that the 45-day response period to customer requests begins when the company can treat that request as a “verifiable consumer request” rather than when it receives the request (see § 999.313(b)).
Companies Should Submit Written Comments
The deadline to submit written comments to the California AG is Friday, December 6th, and public forums around the state in Los Angeles, San Francisco, and Fresno are being held this week. The AG encourages comments and has even published Tips on Submitting Effective Comments. Submitting a comment is as easy as sending an email to PrivacyRegulations@doj.ca.gov.
As we all look to operationalize the CCPA, whether as a business, service provider, or third party, this is our opportunity to provide the AG with insight into the challenges, questions, and suggestions we have for making compliance with the CCPA something we can all be confident with.