Businesses have until March 8 to file comments in an important pre-rulemaking proceeding for a critical California AG rulemaking that will clarify the requirements of the CCPA. The California AG will most likely not enforce the CCPA privacy requirements until July 1, 2020.
As we have written before, the CCPA is both a landmark privacy law and a work in progress. The law requires the California Attorney General's Office to conduct a rulemaking on several issues and ties the date on which its privacy provisions can be enforced to six months after the completion of that rulemaking. The AG's Office may also choose to address other issues in its rulemaking. Because the CCPA is littered with drafting errors and confusing definitions of key terms, this AG rulemaking is extremely important.
At its Sacramento public forum on February 5, the AG's Office unveiled a schedule for its CCPA rulemaking and a list of statutorily required topics that it will definitely address in the rulemaking and requests comments on them in its pre-rulemaking proceeding.
These topics are:
- whether additional categories of personal information (PI) should be included
- whether to update the definition of unique identifiers subject to the CCPA requirements as PI
- adjusting the exceptions to the CCPA, including those necessary to comply with state or federal law, including trade secret and IP laws,
- setting rules and procedures for submitting and complying with individual rights requests
- development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt out of the sale of personal information
- establishing rules, procedures, and any exceptions necessary to ensure that the notices required by the law, including financial incentive offers, are easily understood by the average consumer, accessible to consumers with disabilities, and available in the language primarily used to interact with the consumer and
- establish rules and procedures regarding verifying consumer requests (under the CCPA, unverifiable requests do not require a response).
Of these topics, the most operationally significant are the rules and procedures for submitting and complying with requests (topic 4 above) and for verifying those requests (topic 7 above). The definition of "personal information" in the CCPA is already so broad that there is considerable confusion as to the scope of what is required in response to data access, data portability and data deletion requests. The statute leaves to the AG's Office to determine what verification should be required. Guidance from the AG's office on this issue is critical because "verified requests" entitle the requester to see all information in an account, including potentially very sensitive data. What is more, because data identified only to a "household" level (not an individual or device level) appears to qualify as "personal data," the law could potentially allow roommates or estranged family members to access, port away or delete each other's account data.
The statutory definition of "de-identified data" is also badly in need of clarification. It appears almost circular vis-à-vis the definition of personal data and provides very little guidance as to how to de-identify. Because de-identification is a pro-privacy measure, it is important that the AG's Office clarify the sorts of steps that make data de-identified and thus outside the scope of the statute.
The AG's Office personnel have stated at several public sessions that their office is interested in considering clarifying regulatory language to make the CCPA operationally workable. These are just a few examples of confusing features of the CCPA statutory language that could be clarified in this proceeding without undermining the effectiveness of the law, and businesses subject to the CCPA would be well-advised to consider proposing clarifying language on topics on the AG's list, as well as other helpful clarifications.
DLA Piper has extensive experience analyzing the CCPA's convoluted statutory language and negotiating with lawyers for privacy organizations on potential consensus clarifying changes. If you would like assistance in filing comments, please do not hesitate to contact us.