Unless you have been living under a data protection rock, or have no interaction with the world’s fifth largest economy, you are likely aware that the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020.
Proposed regulations were issued by the California Office of the Attorney General on October 10, 2019, but are not yet in place, meaning that the CCPA roadmap may be in effect, but the rules of the road have yet to be finalized. The Office of the California Attorney General recently held four public hearings seeking comments on the proposed regulations. After attending the public hearing in San Francisco on December 4, 2019, it is clear that companies and industries across the spectrum remain concerned about CCPA’s as-of-yet unclear requirements. Indeed, as of January 6, 2020, the final regulations have not yet been adopted.
Over twenty people took advantage of the opportunity to submit oral comments to the four Attorney General representatives present at the hearing. Per standard Office of the Attorney General procedures, no response was given to any of the comments, however. Some commenters, such as representatives of automobile manufacturers and small local credit unions, presented concerns specific to their industries. Others focused narrowly on one or two aspects of CCPA or the proposed regulations, such as the impact on service providers or the potential for a disparate impact on racial groups or lower-income Californians.
Several commenters expressed concern with the January 1, 2020 effective date of CCPA, particularly given that the Regulations are not yet final. Many of these commenters pointed out inconsistencies in or potentially unanticipated consequences of the proposed regulations that have made it difficult to establish a robust or even reliable compliance framework. For example, one commenter took issue with the requirement that most businesses operate a toll-free number for submitting data rights requests. The commenter noted that particularly for online-only businesses, this requirement does not match with the language providing that mechanisms for such requests reflect the manner in which the business primarily interacts with consumers. Also noted was the potentially expensive nature of operating and staffing a toll-free number service.
Another common thread in numerous comments was a request for model or sample notices and training that companies can use. Regulations under the Gramm-Leach-Bliley Act, for example, provide safe-harbor notice forms that find no analog in CCPA. Comments in a similar vein noted the continuing lack of guidance on the required opt-out-of-sale button for websites and confusion over the way business websites should treat a consumer’s global website browser privacy settings.
One particularly poignant comment noted that CCPA appeared to have been written by a “broken robot,” certainly a reference to the fact that the over 10,000-word Act was proposed, debated, and passed within seven days by the California Legislature. Since that rush to passage, the Legislature and now the Attorney General’s office have been trying to address grey areas, inconsistencies, and simple errors contained in the Act, which itself has caused more change and sometimes more confusion.
Taken together, comments at the public hearing illustrate continued uncertainty and concern surrounding the parameters and impact of CCPA. While businesses have a six-month grace period before enforcement begins in July 2020, they should closely monitor the final regulations—once adopted—and any additional guidance to ensure compliance with this complex, comprehensive, and sometimes convoluted legislation.