California AG’s proposed CCPA regulations leave more questions than answers

“We are definitely moving in the right direction,” says Cynthia Cole, special counsel at the law firm Baker Botts, when asked whether the proposed rules provide a substantive roadmap for compliance with the CCPA.

A good start

“The draft rules provide valuable insight into the attorney general’s interpretation of how companies should implement CCPA requirements in practice,” explains Christine Lyon, a partner at the law firm Morrison & Foerster. In particular, the draft rules “provide helpful operational guidance about notices and handling consumer requests under the CCPA,” she continues .

There still may be opportunity for improvement. “The rules do not give a roadmap for how to deal with the trickier aspects of the CCPA,” observes Ryan Hogan, director of strategic advisory services at BSI, a business improvement company. “Companies seeking specific step-by-step guidance on verifying a consumer’s identity may be disappointed that the rules do not provide more detail,” Lyon says. “The rules about financial incentives and discriminatory practices seem to raise more questions than answers for companies trying to manage loyalty programs and incentives,” she continues.

The regulated community might still be able to sway the California attorney general to make some changes. “These are draft rules,” Lyon points out. “It is important for companies to take a close look at the draft rules and participate in the public comment process to inform the attorney general about areas of concern,” she says.

A costly proposition?

There may be much to be apprehensive about. “The draft rules create new requirements that go beyond the statutory language of the CCPA,” Lyon says, pointing to certain consumer consent that must be obtained. The proposed rules “require obtaining a consumer’s explicit consent to use personal information for a purpose that wasn’t specified in the notice given to the consumer at the time of collection,” she explains. “This consent requirement is not found in CCPA itself and, if adopted, would create an even stricter regime than laws like the EU’s GDPR,” she cautions.

Others expressed similar views. “The draft regulations clarify certain aspects of the law, but in some cases they go well beyond the scope of the statute,” observes Lisa Sotto, a partner at the law firm Hunton Andrews Kurth. “Companies will need to evaluate how the additional requirements will affect their compliance strategy and ongoing readiness efforts.”

GDPR-like record-keeping requirements in the proposed California regulations may also give companies pause. Record keeping can be “a good practice in case you get investigated,” acknowledges D. Reed Freeman, Jr., a partner at the law firm WilmerHale. But those companies could then get dinged for not having sufficiently good records. Ultimately, the attorney general could “sue a company that is otherwise in compliance for not having records,” Freeman says.

Even the California attorney general acknowledges the challenge this rule will pose to businesses. “The adoption of these regulations may have a significant, statewide adverse economic impact directly affecting business,” the California Department of Justice wrote in a notice about the rule. A regulatory impact analysis revealed that “the cost businesses may collectively incur to comply with the regulations over the 10-year period of 2020 to 2030 is $467 million to ($16.4 billion),” the agency continued.

A hasty proposal?

While some in the regulated community may be breathing a collective sigh of relief in that at least some additional direction on how they can begin to comply with the CCPA has been provided, the proposed rules may not be all that they were hoping for.

“The draft regulations do not provide clarity on some of the most challenging aspects of the CCPA,” Sotto notes. “For example, they do not offer guidance to companies in determining which of their disclosures of personal information might constitute a ‘sale’ under the law.”

Outfits running loyalty programs may want to pay close attention to the requirements of the proposed rules. “The draft rules would have significant operational impacts on loyalty programs and companies involved in the ‘sale’ of personal information,” Lyon says. “Companies that offer financial incentives in exchange for retention or sale of a consumer’s personal information now would need to state the estimated value of the consumer’s data, and identify the method used to calculate that valuation.”

The requirements become even more complicated for companies that sell personal data obtained from others. “Companies that sell personal data obtained from third-party sources would need to provide the consumer with notice and the opportunity to opt out of the sale, plus obtain signed attestations from the third-party source describing how it provided notice to the consumer at collection, including an example of the notice,” Lyon says.

Tough timeframe

Meanwhile, the clock still ticks toward the New Year’s effective date for the privacy act. “Many companies are not prepared” for the level of documentation that will be required and the method of verification that will be necessary, cautions Jodi Daniels, CEO of privacy consultant Red Clover Advisors. Even though the regulations implementing the law have not yet been finalized, companies “need to start planning now,” she says.

Lori Tripoli is a writer based in the greater New York City area who focuses on legal and regulatory issues.