The California Attorney General is holding six statewide forums to collect feedback on the California Consumer Privacy Act to "solicit broad public participation." On Jan. 8, I attended the first hearing on a rainy day — finally! — here in San Francisco. Here are some of my observations.
Attorneys, law professors, data security professionals, data scientists, students, reporters and representatives of various organizations filed into the Milton Marks Conference Center near City Hall before 10 a.m., while representatives of the California Department of Justice explained the purpose of the hearings and asked for comments on the rule-making topics contemplated by the CCPA.
Topics include adding categories of personal information and updating the definition of unique identifiers to address changes in technology and privacy concerns; establishing exceptions necessary to comply with state or federal law, including those relating to trade secrets and intellectual property rights; and establishing rules, procedures and exceptions to ensure that notices and information are provided in a manner that may be easily understood by the average consumer
Each audience member had the floor and microphone for up to five minutes of public comments, which included requests for clarifications, flags of technical errors, suggestions for reductions in scope, pleas to expand privacy protections further, and general criticisms of the CCPA.
Commentators at the hearing acknowledged the difficulties that the attorney general faces since the rule-making pertains to a statute that is still subject to ongoing legislative change and correction of obvious typos and drafting errors. Some asked for a clarification that the term "consumer" does not extend to employees. Others noted that the CCPA's de-identification standard is nearly impossible to meet except by way of aggregation. One attendee suggested that the attorney general publish template privacy notice formats and offer a safe harbor to companies that voluntarily adopt the templates, as the California Civil Code already offers for breach notices, without mandating the use of templates.
Hearing participants also proposed ramped-up time periods for companies that become subject to the CCPA during a calendar year due to increasing revenue; clarifications that companies should not be required to collect or combine personal information to identify consumers for purposes of responding to information access or deletion requests if the companies had not previously identified such consumers; and an ability for businesses to charge for information access and deletion requests or opt-out declarations regarding information selling to avoid increasing costs for other consumers and the general public. Stakeholders also expressed various opinions on the CCPA and did not limit themselves to the rule-making topics contemplated by the CCPA.
The representatives of the Department of Justice took notes and did not respond or comment. They ended the official session early, after about a dozen commentators had spoken up, and no one else raised a hand.
Many hearing attendees stayed for informal discussions in small groups. I sensed a common view that many of the most urgent issues are for the California Legislature or U.S. Congress to address. Views on what legislative changes to ask or hope for in Sacramento diverge: Some business representatives and industry associations are eager to push for various substantive modifications to CCPA requirements that are particularly costly or harmful to their business models, customers or business partners. Others believe that the business community should limit its demands to corrections of obvious errors and seemingly unintended consequences (such as covering employees as "consumers"), but otherwise accept the conceptual requirements of the CCPA to avoid far greater risks to businesses: perceived "watering down" of the CCPA could provoke another ballot initiative and parliamentary trade-offs could bring back a right to private action.
Some privacy advocates welcome the comprehensive disclosure requirements in the CCPA. If the CCPA comes into effect largely with its current, broad scope, many other California statutes can and should be repealed to avoid duplications, conflicts and unnecessary complexities.
With respect to submissions to the attorney general's office, some business representatives seemed wary about the risks of alerting the enforcement agency to particularly difficult compliance challenges arising from the CCPA. Legal counsels are particularly concerned about the effects of a provision in the CCPA, which provides that any penalty for violations of the CCPA and proceeds of any settlement of an action shall be deposited in a new "Consumer Privacy Fund" with the intent to fully offset any costs incurred by state courts and the Attorney General in connection with the CCPA.
There will be further forums in San Marcos (Jan 14 ), Riverside (Jan 24), Los Angeles (Jan 25), Sacramento (Feb 5) and Fresno (Feb 13). The Department of Justice team is also inviting comments via email at PrivacyRegulations@doj.ca.gov
Photo credit: johrling, California Republic, via Flikr