The California Consumer Privacy Act (“CCPA”), was passed last summer as a compromise to avoid a highly restrictive privacy regime slated to appear on the November 2018 ballot in California. Amidst much controversy and debate, the California Attorney General’s Office is set to draft implementing regulations for the new law. As part of that process, six public rulemaking workshops have been scheduled for the public to provide comments and voice concerns. The first took place on January 8, 2019 in San Francisco and was attended by a cross-section of trade associations and privacy advocacy groups. Although the public comments covered a variety of topics, a few themes emerged:
- Industry groups want to more closely align the CCPA’s provisions with other privacy regulations such as the European Union’s General Data Protection Regulation (“GDPR”). Many businesses have already undertaken the Herculean task of coming into compliance with the EU law. They propose establishing a safe harbor under the CCPA for businesses that are GDPR compliant.
- Several comments were directed to one of the more controversial provisions of the CCPA - the “right to equal service and price,” which refers to the CCPA’s prohibition against discriminating against consumers who exercise their rights under the CCPA not to provide personal information. This anti-discrimination provision does, however, allow businesses to offer different prices or levels of service if the difference is “reasonably related to the value provided to the consumer by the consumer’s data.” Several parties commented that the phrase “the value provided to the consumer by the consumer’s data” is ambiguous. Retail industry spokespersons expressed concern about the absence of an exception for businesses that offer or maintain loyalty, rewards, or club card programs, and the need for an explicit carve-out for such programs.
- A call for a narrower definition of what constitutes the “sale” of a consumer’s personal information. The CCPA currently defines “sale” as any dissemination of a consumer’s personal information “to another business or third party for monetary or other valuable consideration.”
- Other commentators voiced concern that the requirement to authenticate and process consumer opt-out requests could have the unintended consequence of businesses collecting personal information that they would otherwise not collect, or linking data that had not previously been linked to a consumer.
Additional public forums will take place on January 14 in San Diego, January 24 in Riverside, January 25 in Los Angeles, February 5 in Sacramento, and February 13 in Fresno. Once the AG has drafted and promulgated the implementing regulations we can anticipate yet another round of public hearings, and further opportunity for public comment.