The Office of the California Attorney General (AG) held its seventh and final public forum on the California Consumer Privacy Act (CCPA) on March 5, 2019, at Stanford Law School.
As with the earlier forums, AG representatives were not permitted to respond to questions regarding California's landmark new privacy law. The event nevertheless provided a valuable opportunity for the public to help focus rulemaking efforts, particularly on the seven areas delegated to the AG in Civil Code Section 1798.185:
The event was attended by approximately 100 members of the public who represented a range of businesses, advocacy groups and private citizens. Compared with some of the earlier CCPA forums, commentators expressed a wider diversity in their points of view and many touched on one of five general topics:
First, multiple commentators encouraged the AG to clarify ambiguities and eliminate gaps in the definitions of key terms such as "personal information" and "sale." Others expressed concern that terms could not be accurately defined unless and until the AG obtained a deeper understanding of the realities of data transfers in digital ecosystems.
Desire that the government dig into the nuances of digital relationships was also evident in comments concerning practical application of the CCPA. A second focus of the comments was non-consumer-facing service providers and vendors of consumer-facing entities. Under the current language, service providers — entities that receive personal information pursuant to a contractual relationship — are effectively subject to the same requirements as consumer-facing businesses. Service providers, however, often have no direct relationship with consumers and, therefore, little-to-no opportunity to provide the notice required under the CCPA.
A handful of commentators raised this concern specifically in the context of AdTech. Dozens of behind-the-scenes companies receive information in the split second it takes to load a website — domain owner, vendors necessary to host the site, advertiser, advertising agency, demand-side platform, supply-side platform, ad exchange, ad network, dozens of publishers, etc. It would be impractical, if not impossible, commentators argued, for each player to give notice and comply with the other requirements of the law.
A third theme was validation of consumer requests and the need for detailed guidance around the process. Several speakers requested that the AG weigh in to clarify the remedies available to consumers, and potential consequences to business, of denying an unverifiable request.
A fourth theme was the time and effort that businesses have dedicated to operationalize the requirements of the European Union's General Data Protection Regulation (GDPR). Many consumers also are now generally aware of the broad rights and protections provided under the European law. To that end, commentators encouraged the AG to use the rulemaking process to bring California's law in closer harmony with GDPR.
Finally, speakers shined a light on enforcement issues. Recognizing staffing and funding challenges, commentators urged the AG to delegate some of its enforcement powers to local authorities in order to fulfill the law's enforcement mandate. Relatedly, business representatives emphasized the need for time to come into compliance after the rulemaking process is complete. Absent recognition of this reality in the regulations, businesses reasonably fear a wave of consumer litigation on January, as private actions are not subject to the July 2020 enforcement date applicable to government-filed actions.
A transcript of the March 5 forum will be made available on the AG's CCPA website. You can also review transcripts of the six earlier public forums. Although this was the last of the scheduled public forums, the AG is still taking written comments through Friday, March 8, 2019.
The AG anticipates publishing its Notice of Proposed Regulatory Action by fall 2019. The public will have another opportunity to weigh in during the formal public comment period that follows issuance of the draft regulations.
The forthcoming regulations should clarify at least some of the steps toward implementing CCPA requirements. In the meantime, businesses should be taking steps to prepare, such as data mapping and making an inventory of vendors.
Holland & Knight's attorneys have extensive experience counseling clients on privacy and data security as well as defending companies in regulatory enforcement actions and private litigation regarding consumer protection and privacy issues. For more information or a specific question about how the forthcoming regulations could affect your company, please contact the authors.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.
Please note that email communications to the firm through this website do not create an attorney-client relationship between you and the firm. Do not send any privileged or confidential information to the firm through this website. Click "accept" below to confirm that you have read and understand this notice.