Beginning on Monday, December 2, 2019, the California Attorney General began holding a series of four public comment hearings to receive comments on the draft regulations issued by the Attorney General in October 2019 regarding the California Consumer Privacy Act of 2018 (“CCPA”). Severson & Werson attorneys Joseph W. Guzzetta and Evelina Manukyan attended the San Francisco public comment hearing on December 4. At the hearing, a series of business representatives, business advocates and consumer and privacy advocates offered various comments and proposals regarding the draft regulations and requests for additional guidance or Attorney General action.
One of the authors of the CCPA – Rick Arney – was present at the hearing and offered comments. Mr. Arney’s comments focused on various aspects of the proposed regulations, including requesting that the Attorney General change the proposed regulations to require businesses that receive “Do Not Sell” requests under the CCPA to stop selling that consumer’s information immediately – not within 15 days as required in the Section 999.315(e) of the proposed regulations. Additionally, Mr. Arney sought an expansion of the definition of “service provider” to include businesses that process information on behalf of government agencies.
While not directly related to the text of the proposed regulations, other privacy and consumer advocates and individuals expressed the concern that businesses were not taking privacy seriously, and were attempting to do the bare minimum necessary to avoid an enforcement action under the CCPA. These commenters, however, generally lacked concrete proposals for changes to the proposed regulations.
As with the public comment hearings that took place in March 2019, several commenters representing business interests at the San Francisco hearing expressed the hope that the Attorney General would delay the January 1, 2020 effective of the CCPA by up to two years, given the perceived ambiguities in the statute and proposed regulations. It is unlikely that the Attorney General could delay a statutory implantation date, even if he desired to do so. Nonetheless, the desire for delayed implementation was a recurring theme at the hearing.
Several commenters asked the Attorney General to provide a template “opt-out” button that businesses could use on their websites for their “Do Not Sell” webpage required by the CCPA. Relatedly, several business advocates sought template disclosure and notice language from the Attorney General, which we have noted was conspicuously absent from the proposed regulations in previous ‘blog posts. Finally, several commenters requested that the Attorney General issue compliance checklists for business seeking to implement the CCPA’s requirements.
Commenters also addressed the fact that the proposed regulations require businesses to consider web browser “do not track” signals and settings as valid requests to opt out of the sale of personal information in Section 999.315(c). These commenters noted that the proposed requirement is too broad, and goes beyond what is required of businesses in the statute itself. Additionally, several financial institution representatives noted the differences in the definition of “personal information” in the proposed regulations and the CCPA and the Gramm-Leach-Bliley Act, and requested clarification.
Other advocates addressed the methods for submitting CCPA verifiable consumer requests by toll-free telephone number, noting that most customers are used to submitting requests via email, and that statistically, most such requests arrive in that manner. Additionally, commenters noted that toll-free telephone numbers are expensive for businesses, and susceptible to fraud. Others noted challenges in assigning value to consumer data. Finally, several commenters asked the Attorney General to clarify what constitutes a “reasonable security procedure” under the CCPA.
The Attorney General closed the comment hearing at approximately 11:50 a.m. when no further comments were forthcoming from attendees. Interested parties still can submit written comments to the Attorney General regarding the proposed regulations by or before December 6, 2019.
If you have any questions regarding the Attorney General’s proposed regulations, or the CCPA in general, please contact Joseph W. Guzzetta at email@example.com or Evelina Manukyan at firstname.lastname@example.org.