The California Attorney General’s office kicked off its tour of public comment hearings on the California Consumer Privacy Act (CCPA) in San Francisco on January 8. While over 100 people attended, only 14 shared any comment or input.
Representatives taking comment requested that any input include the following points.
• Categories of Personal Info and what else should be added
• Definition of Unique Identifiers and what else should be added
• CCPA Exceptions
• Submitting and complying with requests
• Uniform opt out logo/button
• Notices to consumers
• How to conduct identity verification before sharing any information as required by the law.
Comments provided were a little more wide ranging:
Industry Concerns over lack of clarity on safe harbor, certifications and sale/PI definitions
• There were repeated requests for safe harbor regulations to allow companies to comply
• A number of advertising companies noted that the National Advertising Initiative, which already has a system to ensure opt-outs in compliance with GDPR. This laid bare another notable difference between GDPR and CCPA. GPDR allows for approved certifications as an additional safe harbor for compliance, CCPA does not.
• CCPA allows an exemption from consent to sell information in cases where a sale of a business or merger is involved, but does not address the sale of a division or line of business. Several commenters expressed concern over this and asked for clarification.
Advertising marketplaces and loyalty programs fall into a gray area under CCPA
• Loyalty programs also were discussed as falling into a gray area under the law.
• The definition of “sale of information” needs to be refined as there were concerns that advertising marketplaces, which sell space for ads, where no information is sold, but the space can be used to target customers based on browser information patterns.
IP Address and Device IDs as PI have far ranging consequences
• Several commenters noted that the definition of including IP addresses as personal data was too broad. In the EU, many jurisdictions view IP addresses as personal data only if tied to other identifying data. This also created concerns that IP Address data could artificially inflate the number of “records” collected by small businesses to exceed 50,000, thus requiring them to comply with CCPA.
• Similarly, if device IDs are considered personal data under CCPA, it could create issues for wireless and ISP providers since families and roommates often share devices, so it would not be clear who would get the information on device use if requested under CCPA.
Non-Discriminatory Pricing and Customer Inference data can help consumers, but cost business
• Clarity was requested regarding non-discriminatory pricing language. On one hand, low income families may be forced to choose between cost and making their data available, on the other hand, industry representatives argued the cost of providing the service or ads without data should be considered as a compensable service to offset the losses.
• Some consumer-minded commenters noted the lack of guidance on customer inference profiles, which may not contain direct personal data but tell quite a bit about patterns of behavior which can be used to educate consumers on how their actions assist marketers in targeting or influencing them.
• Any standard of care for security of data should refer to existing standards such as NIST standards.
Customer Verification Means More Personal Data Collection
• CCPA requires that companies verify the identity of consumers seeking to receive copies of information collected about them. As several commenters pointed out, by collecting documentation to verify identity, companies will have to collect and store more sensitive data to become compliant. Several industry commenters requested greater guidance on how to balance the risks and burdens of collecting and storing this information.
Other Industry Specific Comments
• Industry representatives who work with workers compensation insurance suggested that since their records are already regulated with respect to privacy that CCPA should not cover them (several other industries are exempt to the extent that existing regulatory regimes cover them, such as HIPAA).
• Attorneys who work with a number of tech and HR issues suggested that additional protections need to be put in place for HR records to maintain confidentiality and avoid disclosure of complaints and other HR records.
Most of all the comments reflected those already acknowledged by the Department of Justice office, namely that the law itself was hastily constructed and will be subject to extensive updates this legislative session.
The next public comment event is January 14 from 10am to 1pm at Cal State San Marcos, just north of San Diego.