On June 1, California’s Office of the Attorney General submitted the final proposed regulations package for the California Consumer Privacy Act to the Office of Administrative Law for review. Included in this package is the Final Statement of Reasons, explaining the modifications from the initially proposed text of the regulations, as well as a summary of all the comments received during the rulemaking process and the OAG’s responses, attached as appendices A, C, and E to the FSOR.
For businesses or practitioners dealing with compliance issues, the OAG commentary is an important resource to consider.
The OAG’s responses address why certain modifications were made (or not) to the proposed regulations, confirm and clarify how it is interpreting certain CCPA provisions, and flag topics the OAG is still considering. They also appear to provide some insight regarding the OAG’s enforcement focus. There is substantial granularity, as the comments and responses are organized by the specific sections and subsections of each regulation. Together, Appendices A, C, and E total almost 500 pages. Reviewing a few of the regulatory provisions illustrates how this commentary may help inform compliance decisions.
The importance of notices, privacy policies and the “do not sell” link
No blanket exemption for trade secrets and intellectual property
Several of the comments raise the issue of the CCPA potentially requiring disclosure of proprietary and/or trade secret information. While CCPA Section 1798.185(a)(3) discusses the attorney general adopting regulations regarding “any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights ...,” there is no such exemption in the final proposed regulations.
For businesses concerned about this issue, the OAG’s responses to these comments are instructive.
Responses 323 and 901 in Appendix A address comments seeking an exemption from the CCPA for proprietary information, intellectual property or trade secrets. In a lengthy commentary, the OAG rejected these requests. It determined “the comments fail to show how an exemption for protection of intellectual property rights is necessary” as they “fail to explain how a consumer’s personal information collected by the business could be subject to the business’s copyright, trademark, or patent rights, or how a business could possibly patent, trademark or copyright a consumer’s personal information” (Response 901/Appendix A).
The OAG’s responses also noted that even if a consumer’s personal information could potentially be considered a trade secret, “neither federal nor state law provides absolute protection for trade secrets.” Importantly, the OAG concluded, “a blanket exemption from disclosure for any information a business deems could be a trade secret or another form of intellectual property would be overbroad and defeat the Legislature’s purpose of providing consumers with the right to know information businesses collect from them.”
There also were comments specifically challenging the obligation in the Notice of Financial Incentive, Section 999.307(b)(5), requiring businesses to provide a “good-faith estimate of the value of the consumer’s data” on the grounds disclosing the “description of the method the business used to calculate the value of the consumer’s data” as required by the regulation involves proprietary information. The OAG similarly rejected this position, finding the comments did not adequately demonstrate the information was a “trade secret,” referencing the definition in California’s Uniform Trade Secrets Act, Section 3426.1 (Response 247/Appendix A and Response 25/Appendix E).
The OAG again reiterated the protection of trade secrets is not absolute and allowing a broad exemption in this context “would be overbroad and defeat the Legislature’s purpose of protecting consumers’ privacy and prevent discrimination against consumers who exercise their privacy rights.”
Disclosing consumer request metrics is 'necessary' to assess compliance
The OAG commentary explains its position regarding the mandatory disclosures for businesses handling a large amount of consumer data. Section 999.317(g) of the proposed final regulations requires a business “that knows or reasonably should know” it buys, receives, sells or shares the personal information of 10 million or more consumers in a calendar year to compile and disclose specific information regarding consumer requests. The OAG disagreed with a comment requesting this provision be eliminated because it exceeded the scope of its authority, stating in Appendix A/Response 652, “the regulation is necessary” and “the value of public disclosure outweighs the burden.” In the FSOR, the OAG explained “the compilation and reporting metrics are reasonably necessary to measure compliance with the CCPA,” noting the benefit of assessing whether response times are complying with the required 45-day timeframe, understanding whether requests “are systemically being denied,” and having transparency regarding the number of requests being received.
In both the FSOR and other Appendix A comments, the OAG also noted the public disclosure of this information will allow “academics, consumer advocates, business groups, and others to research and analyze this data.”
The OAG increased the reporting threshold from 4 million to 10 million to lessen the burden on small businesses, as explained in the FSOR. Ten million consumers represent approximately 25% of California’s population. In response to comments expressing concern over the difficulty of following this reporting requirement, the OAG makes clear compliance is expected, stating “[b]usinesses that are managing the personal information of roughly 25 percent of California’s population shall make good faith efforts to develop systems that would track their compliance with the CCPA and these regulations” (Appendix A/Comment 658).
There may be additional regulations
Rulemaking for the CCPA was an involved process, with multiple rounds of revisions to the initial proposed regulations. The OAG responses suggest it may not be over, as it continues to look at particular issues raised by the comments. In many of its answers, the OAG stated it “has prioritized the drafting of regulations that operationalize and assist in the immediate implementation of the law. Further analysis is required to determine whether a regulation is necessary on this issue.”
Areas in which the OAG indicated it may be considering further regulation include:
The first modified regulations proposed in February 2020 included a new provision, Section 999.302 Guidance Regarding the Interpretation of CCPA Definitions. It offered further guidance regarding whether the information is “personal information” and included a specific example of a business collecting IP addresses. The second set of modifications issued in March 2020 deleted this provision. However, in Response 9/Appendix E, the OAG stated “[f]urther analysis is required on this issue.” The OAG’s responses also indicate it may take a closer look at whether certain definitions, including “business,” “business purpose” and “sale” require regulation.
The opt-out button
CCPA Section 1798.185(a)(4)(C) refers to the attorney general adopting regulations related to “the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.” The first modified regulations included an opt-out button in Section 999.306(f) that was deleted in the second set of modifications. In Response 84/Appendix C, the OAG stated it deleted the proposed regulation “to further develop and evaluate” a uniform opt-out logo or button.
Many of the comments asked the attorney general to provide models, sample language or templates for businesses to use. The OAG’s responses suggest it is considering these requests.
The OAG’s responses contain useful information regarding its rationale for the modifications to the regulations and its decision not to accept certain comments.
There are still unanswered questions, as identified here and in this piece for the IAPP’s Privacy Tracker by Husch Blackwell's David Stauss, CIPP/US, CIPT, FIP, and Malia Rogers, which analyzed the OAG’s comments with respect to cookies and tracking technologies. Additional regulations appear to be a real possibility and if the California Privacy Rights Act ballot initiative passes in November, this will further impact CCPA compliance and the regulatory framework.
The IAPP will continue to monitor and report on this changing landscape.
Photo via Good Free Photos
The Westin Research Center released a new interactive tool to help IAPP members navigate the California Consumer Privacy Act. The “CCPA Genius” maps requirements in the law to specific CCPA provisions, the proposed regulations, expert analysis and guidance regarding compliance, the California Privacy Rights Act ballot initiative, and other resources.
Author: Lothar Determann, Partner, Baker McKenzie
In the pages of “California Privacy Law,” businesses, attorneys, privacy officers and other professionals will gain practical guidance and essential, in-depth information regarding each California and U.S. privacy law — scope, compliance duties and enforcement.
If you want to comment on this post, you need to login.