California’s Consumer Privacy Act: The Public Has Spoken

Last June, the California Consumer Privacy Act – which is considered to be the strictest data privacy law in the United States – was signed into law. Among other things, the CCPA gives Californians the right to know what personal information (PI) is being collected about them, whether their PI is being sold and to whom, the right to access their PI, the right to delete PI collected from them, and the right to opt-out to the sale of their PI.

But because the legislation was not without controversy, and given the questions the law has raised, its effective date is not until January 1, 2020. During this interim period, the California Attorney General has held a series of public forums, giving individuals and businesses the opportunity to voice concerns. This input will be taken into consideration, and regulations will be issued in the near future to clarify the law, flesh out its meaning and serve as something of an “operating manual” for the CCPA.

M&R participated in one of these forums back in February, and we learned that the topics of public comment included:

  • The need to update the categories of personal information expressly enumerated in the definition of personal information to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
  • The need to update the definition of unique identifiers to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and additional categories to the definition of designated methods for submitting requests to facilitate a consumer’s ability to obtain information from a business upon request.
  • The need to establish exceptions to the CCPA necessary for businesses to comply with state or federal law, including but not limited to those relating to trade secrets and intellectual property rights.
  • The need to establish rules and procedures (a) to facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information; (b) to govern business compliance with a consumer’s opt-out request; and (c) for the development and use of “a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.”
  • The need to adjust the monetary thresholds for businesses to be covered by the CCPA.
  • The need to establish rules, procedures, and any exceptions necessary to ensure that notices and information that businesses are required to provide under CCPA are provided “in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer,” including establishing rules and guidelines regarding financial incentive offerings.
  • The need to establish rules and procedures to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information upon request, “with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business” and to govern a business’ determination that a request for information received by a consumer is a verifiable consumer request.

Indeed, several businesses and trade associations made public comments at the forum, and once the Attorney General releases its responsive and anticipated Notice of Proposed Regulatory Action (most likely this coming fall), we will report back. Likewise, should it become law, we will provide pertinent information regarding a pending amendment to the CCPA that looks to expand the civil right of action for damages so that it applies to any consumer whose rights under the Act are violated (that amendment also seeks to remove the 30-day cure period requirement for enforcement actions brought by the State Attorney General).

In the meantime, if you have any questions about the CCPA, do not hesitate to contact M&R’s cybersecurity and data privacy guru Scott Lyon at (714) 557-7990 or [email protected].

This blog post is not offered, and should not be relied upon, as legal advice. You should consult an attorney for guidance in specific situations.