On June 1, Californiaâ€™s Office of the Attorney General submitted the final proposed regulations package for the California Consumer Privacy Act to the Office of Administrative Law for review. Included in this package is the Final Statement of Reasons, explaining the modifications from the initially proposed text of the regulations, as well as a summary of all the comments received during the rulemaking process and the OAGâ€™s responses, attached as appendices A, C, and E to the FSOR.
For businesses or practitioners dealing with compliance issues, the OAG commentary is an important resource to consider.
The OAGâ€™s responses address why certain modifications were made (or not) to the proposed regulations, confirm and clarify how it is interpreting certain CCPA provisions, and flag topics the OAG is still considering. They also appear to provide some insight regarding the OAGâ€™s enforcement focus. There is substantial granularity, as the comments and responses are organized by the specific sections and subsections of each regulation. Together, Appendices A, C, and E total almost 500 pages. Reviewing a few of the regulatory provisions illustrates how this commentary may help inform compliance decisions.
The importance of notices, privacy policies and the â€œdo not sellâ€� link
No blanket exemption for trade secrets and intellectual property
Several of the comments raise the issue of the CCPA potentially requiring disclosure of proprietary and/or trade secret information. While CCPA Section 1798.185(a)(3) discusses the attorney general adopting regulations regarding â€œany exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights …,â€� there is no such exemption in the final proposed regulations.
For businesses concerned about this issue, the OAGâ€™s responses to these comments are instructive.Â
Responses 323 and 901 in Appendix A address comments seeking an exemption from the CCPA for proprietary information, intellectual property or trade secrets. In a lengthy commentary, the OAG rejected these requests. It determined â€œthe comments fail to show how an exemption for protection of intellectual property rights is necessaryâ€� as they â€œfail to explain how a consumerâ€™s personal information collected by the business could be subject to the businessâ€™s copyright, trademark, or patent rights, or how a business could possibly patent, trademark or copyright a consumerâ€™s personal informationâ€� (Response 901/Appendix A).
The OAGâ€™s responses also noted that even if a consumerâ€™s personal information could potentially be considered a trade secret, â€œneither federal nor state law provides absolute protection for trade secrets.â€� Importantly, the OAG concluded, â€œa blanket exemption from disclosure for any information a business deems could be a trade secret or another form of intellectual property would be overbroad and defeat the Legislatureâ€™s purpose of providing consumers with the right to know information businesses collect from them.â€�
There also were comments specifically challenging the obligation in the Notice of Financial Incentive, Section 999.307(b)(5), requiring businesses to provide a â€œgood-faith estimate of the value of the consumerâ€™s dataâ€� on the grounds disclosing the â€œdescription of the method the business used to calculate the value of the consumerâ€™s dataâ€� as required by the regulation involves proprietary information. The OAG similarly rejected this position, finding the comments did not adequately demonstrate the information was a â€œtrade secret,â€� referencing the definition in Californiaâ€™s Uniform Trade Secrets Act, Section 3426.1 (Response 247/Appendix A and Response 25/Appendix E). Â
The OAG again reiterated the protection of trade secrets is not absolute and allowing a broad exemption in this context â€œwould be overbroad and defeat the Legislatureâ€™s purpose of protecting consumersâ€™ privacy and prevent discrimination against consumers who exercise their privacy rights.â€�
Disclosing consumer request metrics is ‘necessary’ to assess compliance
The OAG commentary explains its position regarding the mandatory disclosures for businesses handling a large amount of consumer data. Section 999.317(g) of the proposed final regulations requires a business â€œthat knows or reasonably should knowâ€� it buys, receives, sells or shares the personal information of 10 million or more consumers in a calendar year to compile and disclose specific information regarding consumer requests. The OAG disagreed with a comment requesting this provision be eliminated because it exceeded the scope of its authority, stating in Appendix A/Response 652, â€œthe regulation is necessaryâ€� and â€œthe value of public disclosure outweighs the burden.â€� In the FSOR, the OAG explained â€œthe compilation and reporting metrics are reasonably necessary to measure compliance with the CCPA,â€� noting the benefit of assessing whether response times are complying with the required 45-day timeframe, understanding whether requests â€œare systemically being denied,â€� and having transparency regarding the number of requests being received.Â
In both the FSOR and other Appendix A comments, the OAG also noted the public disclosure of this information will allow â€œacademics, consumer advocates, business groups, and others to research and analyze this data.â€�
The OAG increased the reporting threshold from 4 million to 10 million to lessen the burden on small businesses, as explained in the FSOR. Ten million consumers represent approximately 25% of Californiaâ€™s population. In response to comments expressing concern over the difficulty of following this reporting requirement, the OAG makes clear compliance is expected, stating â€œ[b]usinesses that are managing the personal information of roughly 25 percent of Californiaâ€™s population shall make good faith efforts to develop systems that would track their compliance with the CCPA and these regulationsâ€� (Appendix A/Comment 658).
There may be additional regulations
Rulemaking for the CCPA was an involved process, with multiple rounds of revisions to the initial proposed regulations. The OAG responses suggest it may not be over, as it continues to look at particular issues raised by the comments. In many of its answers, the OAG stated it â€œhas prioritized the drafting of regulations that operationalize and assist in the immediate implementation of the law. Further analysis is required to determine whether a regulation is necessary on this issue.â€�Â
Areas in which the OAG indicated it may be considering further regulation include:
The first modified regulations proposed in February 2020 included a new provision, Section 999.302 Guidance Regarding the Interpretation of CCPA Definitions. It offered further guidance regarding whether the information is â€œpersonal informationâ€� and included a specific example of a business collecting IP addresses. The second set of modifications issued in March 2020 deleted this provision. However, in Response 9/Appendix E, the OAG stated â€œ[f]urther analysis is required on this issue.â€� The OAGâ€™s responses also indicate it may take a closer look at whether certain definitions, including â€œbusiness,â€� â€œbusiness purposeâ€� and â€œsaleâ€� require regulation.
The opt-out button
CCPA Section 1798.185(a)(4)(C) refers to the attorney general adopting regulations related to â€œthe development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.â€� The first modified regulations included an opt-out button in Section 999.306(f) that was deleted in the second set of modifications. In Response 84/Appendix C, the OAG stated it deleted the proposed regulation â€œto further develop and evaluateâ€� a uniform opt-out logo or button.
Many of the comments asked the attorney general to provide models, sample language or templates for businesses to use. The OAGâ€™s responses suggest it is considering these requests.Â
The OAGâ€™s responses contain useful information regarding its rationale for the modifications to the regulations and its decision not to accept certain comments.
There are still unanswered questions, as identified here and in this piece for the IAPPâ€™s Privacy Tracker by Husch Blackwell’sÂ David Stauss, CIPP/US, CIPT, FIP, and Malia Rogers, which analyzed the OAGâ€™s comments with respect to cookies and tracking technologies. Additional regulations appear to be a real possibility and if the California Privacy Rights Act ballot initiative passes in November, this will further impact CCPA compliance and the regulatory framework.
The IAPP will continue to monitor and report on this changing landscape.
Photo viaÂ Good Free Photos