At a hearing at the California State Assembly in Sacramento Wednesday, members of the Privacy and Consumer Protection Committee sought to hear from witnesses about the California Consumer Protection Act — specifically, what must be amended about the law before it becomes effective in 2020.
During the three-hour hearing, representatives from the California Chamber of Commerce, California Retailers Association, American Civil Liberties Union and independent academics and researchers, among others, voiced concerns about the CCPA's private right of action, the law's definitions of terms as they stand now, and the ability of companies to adequately prepare for and comply with such a sweeping law.
Tanya Forsheit, CIPP/US, CIPT, PLS, chair of the Privacy & Data Security Group at Frankfurt Kurnit Klein & Selz, testified that 88 percent of companies spent more than $1 million preparing for the EU General Data Protection Regulation and had two years to prepare for it. "Despite that, many, if not most, U.S. companies are still not in compliance" because compliance is such a significant undertaking. "The CCPA is even more complex," she said, adding that companies are not ready for it and won't be.
Forsheit, along with several industry representatives at the hearing and in the public comment forum that followed witness testimony, strongly encouraged changes to the CCPA, including definitions themselves. Specifically, personal data is considered information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household," and Forsheit said this is problematic.
What does "household" mean? What if many people live in that house; whose data is it? Forsheit also said the definition of "consumer" is broad enough that it could inadvertently capture employee data, creating a complication compliance matrix, especially for small businesses.
Eric Goldman, a law professor at Santa Clara University, testified that the definition of personal information is so overly broad that it essentially treats all data within a business's possession as personal information.
Independent researcher Ashkan Soltani, who was hired as a consultant by Alastair Mactaggart's team during the bill's initial drafting, is less concerned. He said the CCPA isn't all that complicated and ultimately puts the enforcement focus where it should be: with the first party."
Soltani said privacy law is a difficult thing because we're used to relying on this "notice and choice" framework, in which it's believed that as long as consumers are told, somehow, what's happening with their data, and they say "ok," then it's play ball.
The problem, of course, continued Soltani, is that "consumers don’t interact with the agreements. ... It's very difficult for consumers to understand how their information is shared and sold. So it's important to think about this privacy law in that context. What this law protects are areas where current regulators don’t have a lot of authority or effectiveness."
The regulator of the CCPA, when it becomes effective, will be the California attorney general's office, which is currently holding public workshops across California for input. On hand at the hearing yesterday was Supervising Deputy Attorney General on Consumer Protection Stacey Schesser, CIPP/US, who indicated to the lawmakers that the attorney general will be asking for increased funding to help it enforce the CCPA.
At its public forums, Schesser said, the attorney general's office is seeking public comment on subjects, including categories of personal information, definitions of personal information, consumer opt-outs and how businesses can comply with those, and what an "opt-out logo button" should look like.
The deputy attorney general also indicated that her office would seek to expand the private right of action provision within the CCPA. ... The attorney general cited private rights of action as "critical adjunct" to law enforcement's ability to enforce.
The deputy attorney general also indicated that her office would seek to expand the private right of action provision within the CCPA. As it stands now, consumers can sue if their data “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to the protect the personal information.”
The attorney general cited private rights of action as "critical adjunct" to law enforcement's ability to enforce.
That did not sit well with Forsheit, nor the representative from the California Chamber of Commerce, Sarah Boot, who called expanding the private right of action "frightening" and said it would be a "class-action bonanza" that neither California's economy, courts or businesses could handle.
"This is a sledgehammer; it's not a stick," Forsheit said of the class-action provision as it stands.
She said it's a win for class-action attorneys and not for consumers, because every business "has either had a data security breach or will, even if they've implemented reasonable security procedures and practices. It is the nature of the world in which we live today." Given that, she said, the damages that can be awarded for class-actions under the CCPA, which cap at $7,500 per violation, are already too high.
Despite the disparate views on what must change and what must remain about the CCPA as it exists now, Assemblyman Ed Chau —who co-sponsored the CCPA, also known as AB375 — left feeling optimistic. He said there's clearly some surgery to be done, but there's also enough common ground that consumers will remain protected in important ways.
"Looks like this is going to be a busy year," Chau said. "This is what I call job security."
If you missed the hearing and want to view it in full, find the video archive here.