Man reviewing document showing the review of written comments received on CCPA regulations.
In Limbo: Gripes with the CCPA’s Proposed Regulations by Cynthia J. Cole, Corporate Special Council at Baker Botts

In Limbo: Gripes with the CCPA’s Proposed Regulations

CCPA rolls out with Proposed Regulations still in flux

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Proposed Regulations to the CCPA were released in October 2019 (Proposed Regulations) and open to public comment until December 6, 2019. The California Office of the Attorney General, Xavier Becerra, received hundreds of written comments from businesses, trade groups and organizations before the December deadline. The stated goal of the Proposed Regulations was to provide guidance to businesses on how to comply with the CCPA, but a review of the comments illustrates that there is still much confusion and possible expansion of the CCPA through the Regulations. Even before the Regulations are codified, these comments illustrate patterns about what makes businesses most anxious about the CCPA and its reach.

Opt-Outs: One of the most controversial provisions in the CCPA involves a consumer’s right to opt-out of the sale of personal information (Section 1789.120(a)). A common thread in many comments was concern that the Proposed Regulations exceed the scope of the CCPA as enacted, and this concern is particularly acute in comments about the Proposed Regulations’ guidance for consumer opt-out rights. In particular, industry groups decry the regulation that would require businesses to treat a consumer’s web browser settings, such as user-enabled privacy controls or even a browser plugin, as a request to opt out of the sale of personal information to a third party. Section 999.315(a) of the Proposed Regulations describes user enabled privacy controls as an acceptable method for consumers to submit an opt-out request, but industry groups say it exceeds the authority of the CCPA, which in Cal. Civ. Code section 1789.135(a) describes a business’s obligation to provide an opt-out link that enables a consumer or authorized agent to opt out of the sale of personal information. Comments argue that the text of the CCPA does not grant the Attorney General authority to require businesses to honor opt-out requests in a form other than the required “Do Not Sell My Info” link.

Sale of Personal Information: Many comments argued that a business that does not currently sell personal information should not be required to provide a “Do Not Sell My Info” opt-out link, because it would unfairly make consumers believe that the business sells personal information. Businesses claiming to not maintain any personal information feel similarly. There is an exception to the opt out button baked into the CCPA for businesses that do not sell personal information, but comments indicate that many are not happy with that alternative either. The exception, described in Section 999.306(d), requires businesses to include a statement in their privacy policy that they do not and will not sell personal information. The issue is with the idea of promising that they will not sell personal information in the future, because such a statement could let consumers think that it’s a future promise ad infinitum.

Rights Requests: The CCPA allows a consumer to submit a “request to know” what personal information a business has on the consumer, the categories of third persons the information has been disclosed to, and the business or commercial purpose of the disclosure. A consumer may also submit a “request to delete” the personal information that the business has on the consumer. In addition to generalized concern over the cost and burden, businesses are concerned that they won’t be able to distinguish between fraudulent and legitimate requests by an individual. Many comments ask for guidance or stricter verification standards. Regarding costs, many comments complained about the burden imposed, particularly in having to acknowledge receipt of and explain future actions to be taken in response to a rights request within the required ten-day window, and particularly with respect to personal information that is not stored in a searchable format.

Additional Consent: Section 999.305 of the Proposed Regulations provides that businesses must inform consumers of the categories of personal information that may be collected from them and the purposes for which each category will be used. The notice must be given at or before the point at which the personal information is collected. The Proposed Regulations go on to state in Section 999.305(a)(3) that if a business wants to begin using personal information for a purpose not previously disclosed, the business must inform the consumer and obtain “explicit consent” to use it for the new purpose. Many businesses complained about this additional burden on them, and many non-business commenters argued that it would encourage businesses to draft over-encompassing, vague notices at the outset that would capture huge swaths of data use purposes without being meaningfully informative.

Non-Discrimination: Fewer comments, but still a prevalent issue, is the CCPA’s Section 1798.125, which prevents a business from discriminating (e.g. charging different rates, providing a different level of quality of goods or services) against consumers who exercise their rights under the CCPA. Section 1798.125(b)(1). An exception to anti-discrimination allows a business to offer “financial incentives” to consumers who agree to the collection, sale, or deletion of personal information. But this exception has two major caveats that have businesses talking: to discriminate by offering different rates, the rate differential must be “directly related to the value provided to the consumer by the consumer’s data,” and to support the rate differential, the business must disclose a good faith estimate of the value of the consumer’s data.

The requirement to estimate and disclose the value of the consumer’s information appears to cause the most consternation. To offer a financial incentive, the financial incentive must be related to the value of the consumer’s data, but comments consistently decry the excessive burden that this entails, even to the point of impossibility to accurately estimate the value. Commenters have asked for additional guidelines on how to calculate consumer data. Section 999.337(b) of the Proposed Regulations currently suggests calculation guidelines, including estimating the average value to the business of a typical consumer’s data, the revenue generated from different classes of typical consumers, or the profit generated by the business from a consumer’s data. But industry groups argue that such a calculation cannot be accurate and say that disclosing an estimated value would not be meaningful to consumers.

Comments received from businesses, trade groups and organizations show the #CCPA regulations that make them most anxious. #respectdataClick to Tweet

So far the CCPA has defied a ballot initiative, supposed sloppy drafting, intense lobbying and federal preemption and went into effect, as planned, on January 1, 2020. The Proposed Regulations, while late in the timeline, further clarify the CCPA principles and will become part of what businesses need to grapple with in data privacy compliance. While most comments to the Proposed Regulations were general in nature, a pattern emerged as to sensitivities especially for specific businesses.  And not to be overlooked are the many comments that praised the CCPA and the Proposed Regulations and asked for heightened and specific enforcement of the most expansive data privacy legislation to date in the United States. Data Privacy in 2020 continues to provoke.