Tanya Forsheit, CIPP/US, CIPT, PLS, was about to take the stage Thursday at a speaking engagement when a colleague asked her if she was watching the news conference. Forsheit assumed there must have been a news conference on U.S. President Donald Trump's impeachment hearings. But, like everyone else watching the California Consumer Privacy Act's progress as it nears its 2020 implementation date, Forsheit was surprised to learn that California's attorney general was, in fact, holding a news conference unleashing its long-awaited proposed regulations on the CCPA.
The regulations are important and have been eagerly anticipated because they've largely been heralded as the answers to companies' burning questions about some of the law's ambiguities. The CCPA itself mandated the attorney general would "solicit broad public participation to adopt regulations to further the purposes of this title ... ."
At Thursday's surprise news conference, California Attorney General Xavier Becerra stood with nine members of his staff touting the proposed regulations as a victory. "We were assigned this task, we made it clear what it would take to do it well, we intend to do it well, period," he said.
But some of those tasked with complying with the CCPA or helping their clients do so don't agree that the 24-page document is a win.
"Any of us who had spent the last year struggling to read this law and interpret it for clients, the hope was that the [attorney general] was actually going to help by giving more clarity and doing it in language that business could understand and could apply," said Forsheit, an attorney with Frankfurt Kurnit Klein & Selz. "Indeed, our friend Alastair Mactaggart [who drafted the initial CCPA] kept saying, 'Don’t worry, the [attorney general] is going to provide clarity around this,' but they haven’t; they’ve made it worse."
At a high level, the regulations focus on four specific areas of the CCPA: restoring choice, control, transparency and fostering innovation.
"Though they are to be made public today, these proposed regulations have taken a year to get to this point," Becerra said. "And they reflect changes from the legislature up until last month and feedback from the public during four public forums in the last year."
He added that the regulations explain how businesses would be required to notify consumers of their rights under the CCPA either at or before data collection, how businesses handle consumer requests about their data, clarify how businesses confirm identities during data subject access requests, and how they handle requests concerning information regarding children under the age of 16. The proposed regulations also describe what businesses need to do to avoid discriminating against customers who choose not to allow their data to be stored and sold, a choice granted to them under the CCPA.
Forsheit said some of the regulation's provisions are helpful and make progress in clarifying allowances for organizations dealing with subject-access requests to vet and, if necessary, deny requests for data deletion or receiving a copy of a subject's data if it is not possible to verify someone's identification. But that's about where her praise ends.
"This, even though it’s 24 pages long, doesn’t have anything that’s truly helpful," Forsheit said. "There's nothing at all to help businesses, and that’s what they ought to be trying to do if they are actually interesting in helping consumers."
Privacy attorney Joseph Jerome, CIPP/US, agrees with Forsheit that the regulations do more to confuse than they do to clarify.
"I'm glad I'm not responsible for CCPA compliance, because I think these new regulations may send some folks back to square one," Jerome said. "My reading of the regs is there's no more ignoring do-not-track signals, and that's on top of all the new documentation in this thing. Companies are going to have to think about how they value data — the regulations offer eight potential methodologies — and then document that."
Jerome is referring to the regulations section on "requests to opt out," which states: "A business shall provide two or more designated methods for submitting requests to opt-out [of the sale of their personal information], including, at a minimum, an interactive webform accessible via a clear and conspicuous link titled 'Do Not Sell My Personal Information,' or 'Do Not Sell My Info,' on the business’s website or mobile application." Businesses can also use toll-free phone numbers, email addresses, or a browser plugin or privacy setting to communicate a user's choice to opt out, among other methods.
Lothar Determann of Baker McKenzie agrees with Jerome's assertion that the regulations confuse rather than clarify.
"Lawyers and lobbyists who had raised hopes for practical or business-friendly guidance should be disappointed," he said. "Where the proposed regulations add new substance, they seem to create additional ambiguities and burdens for businesses."
Given the regulations' provision that a browser plugin or privacy setting can communicate or signal the consumer's choice to opt out of the sale of their personal information, some claim that "should be read to imply that 'do not track' settings in web browsers constitute opt-out requests under the CCPA. According to the regulations, businesses have to implement opt-out requests in 15 days, [and] not the 45 days that the CCPA contemplates for data access/deletion requests."
Forsheit agrees this is troubling. She said that while it's helpful the attorney general clarified that a company can take up to 15 days to honor "do not sell" requests, the regulations go on to say that businesses must communicate to all third parties the do-not-sell request.
"I think 90 days is OK, but I don't think any of us thought companies were going to have to reach out to any imaginable third-party entity that might have that data to report a do not sell request, that isn't obvious from the face of the law," she said.
More importantly, though, Forsheit is very concerned with the regulations' distinction of when an entity can be designated as a "service provider" under the law.
"A lot of companies are struggling with are they a 'service provider,' are they a 'business,' what are they?" she said. "Many companies are trying to focus their compliance on making clear they’re a service provider." But the regulations state a company has to claim it is not a service provider if it uses the same data element in one case as it does in another in order to provide a service. In that case, the data element counts as a "sale" when one company gives the second company the data under the CCPA, meaning a consumer could opt out of that transaction.
"Let’s say I share data with a vendor for security services. A good use-case is if I’m a company and I get an IP address from another company in order to provide a service to them — say, a security-related service, a cybersecurity type company — and I get an IP address from a company in order to help them detect fraud. According to the regs, if I use that data, that IP address for another company to provide a service, then I’m no longer a service provider. If that individual says, 'Don’t share my data,’ the company has to stop sharing that information to protect against fraud. And that doesn’t make sense, because companies often have to use identical pieces of data in order to provide services."
Added Forsheit, "The regs are again creating a disincentive for companies to engage in normal business activities that are actually to protect people from fraud by sharing certain pieces of information, and that’s troubling to me."
Additionally, Determann takes issue with the length of the regulations themselves, which he says are "nearly as long as the CCPA itself and would double the word count of what businesses and their advisers have to process for compliance purposes, to nearly 20,000 words of highly complex, legalese and counterintuitive terminology and text."
He said the regulations "demand that businesses 'use plain, straightforward language and avoid technical or legal jargon' — a requirement that neither the CCPA or the regulations are trying to meet in the least, but, hey, 'Do as I say, not as I do.'"
"Privacy policies are going to get longer, too. Much longer," Jerome said. "There will be more paper disclosures all over the place."
That's because, Jerome notes, the regulations state that for businesses that traffic in the data of more than 4,000,000 consumers, "they will also need to publicly report metrics about CCPA requests and the companies' time frames for responding," Determann said.
The regulations require such metrics as the "number of requests to delete the business received" and complied with or denied, the median number of days it took them, and disclose the information compiled within their privacy policy.
For all the critiques, however, Determann notes that "neither the [attorney general's] office nor the Legislature is entirely or even primarily to blame, though." He said the original ballot initiative laid out "confusing terminology, complex concepts and massive word count in motion to mislead voters at the 2018 general election (as ballot initiatives tend to do)."
The attorney general's team found itself in a difficult position, trying to draft the regulations while juggling CCPA hearings and the California Legislature's more than 40 bills aiming to amend the law, as recently as Sept. 13, when it "passed very wordy, complex and convoluted modifications and time-limited exceptions from the statute, which the governor has not yet signed into law."
Jerome, for his part, said while many are harping on the compliance costs of the CCPA, "some of this is good stuff and should be thought of as the proverbial [federal] privacy bill coming due. It's just going to be hard to do in three months — and that's on top of providing feedback on this and the looming CCPA 2.0."
Now, the attorney general's office takes public comment on the proposed regulations through Dec. 6, after which it will issue the final regulations ahead of CCPA's Jan. 1 effective date.