Pursuant to Section 1798.185 of the CCPA, these public forums provide consumers, businesses, and residents with a platform to share their comments and “as a whole participate in the rule-making process” according to California Attorney General Xavier Becerra.
As anticipated, the first public forum held in San Francisco drew a large crowd and covered a full spectrum of topics. Speakers represented many sectors of the public ecosystem – private and public workforces, universities, law firms, non-profits, and business advocacy groups.
Below we list 10 themes and comments stated by the public audience members:
1. Definition of ‘Personal Information’(PI): Presenters inquired about a more precise delineation, as the current rationale may be “interpreted to include data not currently linked to an individual”. Speakers expressed the need to further specify which pieces of information constitute as PI, most notably if IP addresses should be recognized in this category.
2. Existing privacy regimes & safe harbors: Whether aligning the CCPA to the GDPR would be in the best interest of both businesses and consumers. And if it should include safe harbors for those already compliant with the GDPR and privacy related practices.
3. Standard of care for compliance efforts: Consider including “references to Attorney General defined uses of the national standards of business, national cyber security framework, and industry best practices”.
4. Opt-out button: Clarification into the application of this button across each web page and taking into account the effect it may have on user experience.
5. Authenticating consumer identity: Whether businesses already upholding the principles of data minimization should be offered a benefit for their efforts and protection against collecting “previously non-linked personally identifying information” in the verification step of a consumer request.
6. Definition of ‘Sale’: Clarify who is included and if it also applies to “3rd party providers targeting ads to consumers on behalf of a business”.
7. Definition of ‘Consumer’: Clarify if this applies to employee related data.
8. Non-California activity & satisfying thresholds: Resolution into when this type of activity is counted towards the 25 million annual gross revenue or personal information of 50,000 consumers/households/devices thresholds. And clarification on the ramp period to comply upon reaching the thresholds.
9. Non-discrimination clause: Clarify the conditions in providing different levels of service to users that exercise their opt-out rights. And taking into account the impact to low-income communities and the financial affliction that may result.
10. Right of access requests: Whether non-personal information used to track behaviors and provide insights are “equally revealing” and if those conclusions and inferences should be included.
A common consensus from those that spoke, was that the law as it stands is ambiguous in various sections. Without clarity into the definitions of key terms and guidelines into the technical application, there may be what one speaker described as “unintended consequences” that could counteract the protection of consumer privacy. Additionally, any issues businesses have interpreting and complying with the law could be further compounded by not aligning with existing policies.
We look forward to the comments shared during the remaining forums and how they may shape amendments to the CCPA legislature.
Additional public forums are set to take place on:
- January 14th in San Diego, CA
- January 24th in Riverside, CA
- January 25th in Los Angeles, CA
- February 5th in Sacramento, CA
- February 13th in Fresno, CA
Written comments can also be submitted by email at [email protected] or via post to: California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013.
Stay tuned to our blog, as we’ll have more to share in the coming months!