On March 5, 2019, the California Attorney General held the seventh and final public forum regarding its rulemaking authority under the California Consumer Privacy Act of 2018 (the “CCPA”) at Stanford Law School in Palo Alto, California. The forum was well-attended, with approximately 50-75 attendees, 26 of whom spoke at the forum. The forum was hosted by three representatives from the Attorney General’s privacy unit, including Stacey D. Schesser, the deputy attorney general who recently testified before the Assembly’s Committee on Privacy and Consumer Protection regarding expanding the reach of the CCPA.
As with previous public forums, the representatives of the Attorney General’s privacy unit began the forum by describing the rulemaking process and reiterated that the Attorney General’s office will not even begin to draft new regulations until early Fall 2019. After the office releases drafts of the new regulations in the Fall, another series of public comments sessions will be held to address those draft regulations. As with prior forums, the Attorney General’s representatives did not respond to the public’s comments at the event, but merely took notes regarding what was said.
Most of the speakers at the forum were consumer privacy advocates, including several members of Californians for Consumer Privacy, the official proponent of the ballot initiative that prompted the passage of the CCPA and drafters of many provisions of the law. The consumer privacy advocates primarily addressed the attendees of the forum, rather than the Attorney General’s representatives, apparently attempting to lobby attendees that the CCPA, while not “perfect”, is necessary legislation that will not result in major disruptions to commerce in California.
Despite being outnumbered, a few attendees representing business interests also offered suggestions, some focusing on the need for the Attorney General to provide clarity to the businesses that will need to comply with this law in nine months. Specific suggestions included:
• Device identifiers alone, without other information linking those identifiers to actual consumers, should not constitution personally identifiable financial information;• Clarity is needed regarding the scope of the definition of the term “sale”, in particular in connection with regulation of the ad-tech industry;• Regulations should include expanded safe harbor provisions with respect to data protected under CalFIPA and the Gramm-Leach-Bliley Act, and the Attorney General should produce notifications to consumers for financial institutions to use with respect to information protected under those existing financial privacy laws;• References to “households” and the ability of household members to obtain information regarding other household members should be eliminated;• Safe harbors should be established by the Attorney General with respect to procedures and standards for verification of verifiable consumer requests;• Clearer definitions are needed of the terms “sale”, “violation”, “manifestly unfounded and excessive” and “categories”.
One commenter pointed out that the Attorney General’s intention to delay formal rulemaking until Fall 2019 likely meant that a final set of regulations would not be in place when the law takes effect on January 1, 2020. This commenter suggested that, therefore, implementation of the CCPA should be delayed to provide businesses with time to comply with the regulations before the law takes effect.
As noted above, the representatives from the Attorney General’s office did not respond to these comments. Accordingly, it is difficult to predict how the rulemaking process will ultimately play out. However, there is hope that the Attorney General’s regulations, whenever promulgated, will provide needed clarity and a blueprint for compliance that is severely lacking in the law itself.