The California Attorney General held the second of four public hearings on the California Consumer Privacy Act’s (CCPA) proposed regulations in Los Angeles on December 3, 2019. The Los Angeles hearing featured comments from approximately 24 speakers over a two-hour period. The following provides an overview of the Los Angeles hearing and comments made at the hearing.
AG’s Opening Remarks
Senior Assistant Attorney General Nick Akers opened the hearing by stating that the purpose of the hearing was to receive public comment about the proposed regulations. He specifically noted that the AG’s office did not intend to answer questions or otherwise engage in dialogue regarding the draft regulations. He also noted that the AG is accepting written comments about the proposed regulations, and that the deadline to submit written comments is this coming Friday, December 6, at 5 pm. Mr. Akers stated that the AG would review and consider all relevant comments, and would respond to those comments in the official Statement of Reasons accompanying the final regulations. He did not provide any information as to when the AG expected to finalize the regulations.
Comments Made at the Hearing
The hearing was well-attended, and about 24 individuals made public comments. Each speaker was given five minutes to make comments. The group of speakers consisted entirely of business and legal representatives, and included individuals from the California Chamber of Commerce, the Interactive Advertising Bureau, multiple law firms, several nonprofits, and numerous credit unions. The speakers provided the following noteworthy comments regarding the draft regulations:
- Notice at collection. Multiple speakers expressed concerns about section 999.305(d) of the regulations, which applies to businesses that collect personal information about consumers from sources other than consumers themselves. The regulations state that businesses that wish to sell personal information acquired in this manner must fulfill one of two requirements before selling that information: they must (a) contact the consumer directly to provide notice that the business sells personal information about the consumer, and provide the consumer with a notice of right to opt-out of those sales; or (b) obtain signed attestations from the sources of the personal information, describing how the sources gave the notice at collection and providing an example of the notice. The representatives of several businesses that collect personal information about consumers through indirect means (e.g., through aggregating personal information about a particular individual from several sources) voiced their opinion that the two alternatives the regulations present are unworkable from their perspective. In particular, several speakers pointed out that it would be impossible for them to provide direct notice to consumers, as they generally lacked consumers’ contact information, and that many of the sources they used to collect this information likewise lacked the means to contact consumers directly and provide an attestation to that effect. A few commentators also pointed out that this provision could prompt fraudsters to send unsuspecting consumers notices that appear to be from legitimate companies but actually serve as a means to steal information or entice consumers to click on malicious links. Several speakers requested that the AG revise the draft regulations in order to allow for the notice at collection to be posted on the websites of those businesses that collect consumers’ personal information from other sources.
- Scope of applicability. Several speakers raised issues related to the scope of the CCPA, and suggested that the regulations be revised to clarify the extent of the statute’s scope.
- 50,000 consumer threshold. At least three speakers pointed out that the CCPA’s definition as to the types of entities that qualify as “businesses” could capture many small businesses that, practically speaking, would struggle to meet the CCPA’s requirements. They noted that, under the CCPA, an entity may qualify as a “business” if it annually buys, receives, sells, or shares the personal information of 50,000, or more, consumers, households, or devices. They also noted that the CCPA’s definition of “personal information” is broad enough to apply to the types of data that a company may collect via cookies when a consumer visits his or her website, such as the consumer’s IP address. They reasoned that, under these definitions, many types of small businesses could be viewed as collecting the personal information of 50,000, or more, consumers, households, or devices through website visits alone, even if they do not have 50,000 customers. As a result, these small businesses potentially could qualify as “businesses” under the CCPA (provided that they meet the other requirements set out in the definition); although many such businesses would not be equipped to fulfill the obligations the CCPA imposes. The speakers requested that the AG consider these implications and revise the draft regulations to lift some of the burden on these entities (e.g., by excluding IP addresses from the definition of “personal information” to the extent an entity’s collection of IP addresses, alone, allows it to meet the 50,000 consumer threshold).
- Applicability to credit unions. Multiple credit union representatives also voiced their concerns with the CCPA’s definition of “business.” Nonprofits are excluded from the CCPA’s definition of “business,” but entities that are “organized or operated for the profit or financial benefit” of their owners are not. The credit union representatives noted that although they may qualify as nonprofits, they also are organized and operated for the profit of their “owners” (their members), which made it unclear as to whether or not they were “businesses” subject to the CCPA. In addition to seeking clarity as to this point, the credit union representatives also asked for regulatory clarification on the extent of the CCPA’s exceptions related to the Gramm-Leach-Bliley Act and the California Financial Information Privacy Act. As currently drafted, the CCPA only exempts from its scope information subject to these laws, not entities subject to these laws. The speakers expressed concern that if they were subject to the CCPA, they would have to provide consumers with the notices required by the CCPA, which could confuse consumers who are already receiving multiple privacy notices from financial institutions in accordance with other laws.
- Downstream notification of consumer opt-out. Several speakers raised issues with section 999.315(f) of the draft regulations, which requires a business that has received a consumer’s opt-out request to provide notice of that request to all third parties to whom it has sold the consumer’s personal information in the 90 days preceding the request, and instruct those third parties to refrain from further selling the consumer’s personal information. The speakers raised concerns that this requirement could force businesses to breach existing contracts with data resellers (i.e., by instructing the resellers that they cannot exercise rights previously granted to them in their contracts with the business), and asked that this requirement be revised or removed.
Dates and Locations of Upcoming Public Hearings
The AG will hold two more hearings, and information on the time and location can be found on the AG’s website.
- San Francisco, Wednesday, December 4, 2019;
- Fresno, Thursday, December 5, 2019
Written comments must be submitted by December 6, 2019, at 5:00 pm (PST) via email to PrivacyRegulations@doj.ca.gov, or via postal mail at Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA 90013.