Ashley Lynn Shively is Partner in Holland & Knight's San Francisco office

John P Kern is Partner in Holland & Knight's San Francisco office

HIGHLIGHTS:

  • The Office of the California Attorney General (AG) held the final public forum on the California Consumer Privacy Act on March 5, 2019.
  • Commentators were sophisticated in their understanding of the law and all perspectives were expressed, with many touching on several general topics.
  • Members of the public and business have until Friday, March 8, 2019, to submit written comments for consideration by the AG before it begins the regulatory drafting process. The AG anticipates publishing its Notice of Proposed Regulatory Action by fall 2019. Another formal public comment period will follow issuance of the draft regulations.

The Office of the California Attorney General (AG) held its seventh and final public forum on the California Consumer Privacy Act (CCPA) on March 5, 2019, at Stanford Law School.

As with the earlier forums, AG representatives were not permitted to respond to questions regarding California's landmark new privacy law. The event nevertheless provided a valuable opportunity for the public to help focus rulemaking efforts, particularly on the seven areas delegated to the AG in Civil Code Section 1798.185:

  1. Categories of personal information, including whether additional categories should be included in the scope of the CCPA
  2. The definition of unique identifiers and whether it needs to be updated
  3. Exceptions to the CCPA to comply with state and federal law
  4. The process for consumers to submit, and businesses to comply, with consumer requests
  5. Particulars of the uniform opt-out logo or button to be developed informing consumers about the right to opt out
  6. Details regarding notices and information businesses are required to provide to consumers, including related to financial incentive offerings
  7. Verification of consumer requests

Five Main Themes

The event was attended by approximately 100 members of the public who represented a range of businesses, advocacy groups and private citizens. Compared with some of the earlier CCPA forums, commentators expressed a wider diversity in their points of view and many touched on one of five general topics:

First, multiple commentators encouraged the AG to clarify ambiguities and eliminate gaps in the definitions of key terms such as "personal information" and "sale." Others expressed concern that terms could not be accurately defined unless and until the AG obtained a deeper understanding of the realities of data transfers in digital ecosystems.

Desire that the government dig into the nuances of digital relationships was also evident in comments concerning practical application of the CCPA. A second focus of the comments was non-consumer-facing service providers and vendors of consumer-facing entities. Under the current language, service providers — entities that receive personal information pursuant to a contractual relationship — are effectively subject to the same requirements as consumer-facing businesses. Service providers, however, often have no direct relationship with consumers and, therefore, little-to-no opportunity to provide the notice required under the CCPA.

A handful of commentators raised this concern specifically in the context of AdTech. Dozens of behind-the-scenes companies receive information in the split second it takes to load a website — domain owner, vendors necessary to host the site, advertiser, advertising agency, demand-side platform, supply-side platform, ad exchange, ad network, dozens of publishers, etc. It would be impractical, if not impossible, commentators argued, for each player to give notice and comply with the other requirements of the law.

A third theme was validation of consumer requests and the need for detailed guidance around the process. Several speakers requested that the AG weigh in to clarify the remedies available to consumers, and potential consequences to business, of denying an unverifiable request.

A fourth theme was the time and effort that businesses have dedicated to operationalize the requirements of the European Union's General Data Protection Regulation (GDPR). Many consumers also are now generally aware of the broad rights and protections provided under the European law. To that end, commentators encouraged the AG to use the rulemaking process to bring California's law in closer harmony with GDPR.

Finally, speakers shined a light on enforcement issues. Recognizing staffing and funding challenges, commentators urged the AG to delegate some of its enforcement powers to local authorities in order to fulfill the law's enforcement mandate. Relatedly, business representatives emphasized the need for time to come into compliance after the rulemaking process is complete. Absent recognition of this reality in the regulations, businesses reasonably fear a wave of consumer litigation on January, as private actions are not subject to the July 2020 enforcement date applicable to government-filed actions.

What Comes Next

A transcript of the March 5 forum will be made available on the AG's CCPA website. You can also review transcripts of the six earlier public forums. Although this was the last of the scheduled public forums, the AG is still taking written comments through Friday, March 8, 2019.

The AG anticipates publishing its Notice of Proposed Regulatory Action by fall 2019. The public will have another opportunity to weigh in during the formal public comment period that follows issuance of the draft regulations.

The forthcoming regulations should clarify at least some of the steps toward implementing CCPA requirements. In the meantime, businesses should be taking steps to prepare, such as data mapping and making an inventory of vendors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.