Businesses seek CCPA clarity as California AG issues dire warning

The comment period on the regulations proposed by the California AG ended Dec. 6, with more than a thousand pages of comments submitted.

“Business groups across the board believe that the regulations as drafted would lead to confusion and opportunity for lapse or inconsistencies in compliance,” said Kritika Bharadwaj, an associate at the law firm Day Pitney.

“Although businesses generally accept the need for giving consumers more transparency and control over their personal data, a common theme in the comments we have seen, not surprisingly, has been a pleading to align the requirements in the regulations with those in the statute,” observed Sophia Browning, an associate at Day Pitney.

Any haziness in the regulations as proposed seem not to be slowing down California’s attorney general, though. While acknowledging the California Department of Justice is an agency of limited resources, California AG Xavier Becerra told Reuters in an interview that affected businesses not making an effort to comply with the requirements of the law should not expect any leniency.

“If they are not [operating properly] … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you,” Becerra warned.

California’s privacy law was signed into law June 2018, but amendments were being made to it as recently as October 2019. Also in October 2019, the California DOJ proposed regulations implementing the law. Under the CCPA, consumers may ask to learn what data is collected about them by businesses subject to the law. They may also opt out of the sale of their data.

More harm than good?

Still, some in the regulated community are concerned the regulations as proposed may actually defeat the purpose of the underlying law—protecting consumer privacy.

“A common theme among businesses is a concern that compliance with the CCPA, and in particular, ‘requests to know,’ can ultimately result in possible data breaches or the disclosure of personal information to persons/entities with nefarious purposes,” explained Ana Tagvoryan, a partner at the law firm Blank Rome.

A “request to know” refers to a consumer’s request that a business disclose the personal information it has about the consumer. The consumer may ask for categories of personal information the business has requested, but he or she may also ask for the specific pieces of information the business has about the consumer.

Commenters also expressed concern about requests to access or delete so-called “household” information. “Several commenters have asked the AG to clarify the ‘household’ definition out of concern that the current definition is unclear and may lead to unintended disclosures of private information,” said Mark Brennan, lead innovation partner at the law firm Hogan Lovells.

Along those lines, the Small Business Data Privacy Committee, which represents tens of thousands of businesses, wrote in its comments on the proposed regulations that businesses “are mandated to protect individual privacy but required to release household information without a means of verifying the identity of the requestor.”

Given the risk of inadvertently providing someone’s personal information to an impostor or another inappropriate person, some businesses would prefer to just provide the categories of information they collect to those who ask. Alternatively, some commenters have asked the California AG to “provide voluntary security standards for businesses, compliance with which will protect the businesses under a safe-harbor provision,” explained Neeru Jindal, an associate at Blank Rome.

Regs outside the scope of the law?

Other commenters have expressed concern the proposed regulations exceed their statutory authority.

“Businesses have called out some of the disclosure and notice-related obligations” of the regulations as proposed, Bharadwaj said. These commenters argue the proposed regulations “leave room for ambiguity” and also “go beyond the requirements, and arguably the letter and spirit, of the statute, without adding any benefit to consumers or regulators,” Browning explained.

A number of entities subject to California’s privacy law requirements have asked the effective date of any final regulations be “delayed way past the current proposed enforcement date of July 1, 2020, as there will simply not be sufficient time for businesses to prepare to comply,” Bharadwaj said.

What’s next?

The California AG’s office is “currently reviewing the comments and considering potential revisions to the regulations,” Brennan explained. Any changes to the proposed regulations “would trigger a new notice and comment period” of 15 or 45 days, depending on the extent of the revisions, Brennan continued.

Still, the regulations could be finalized early in 2020, Bharadwaj and Browning predicted.

The public comments on the regulations the California attorney general received may be accessed on the AG’s Website.

Lori Tripoli is a writer based in the greater New York City area who focuses on legal and regulatory issues.