Businesses Urge Flexible CCPA Enforcement in California AG Rulemaking
Tech companies and advertisers made a last stand, raising concerns about the California Consumer Privacy Act before it takes effect Jan. 1. Comments were due Friday on implementing rules Attorney General Xavier Becerra (D) proposed in October and that must be finalized by July 1 when enforcement begins (see 1910100042). The AG office didn’t post the most recent comments online. Some sent theirs to us.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Thursday, the office posted filings through Nov. 22 in a single PDF. A spokesperson wouldn’t say when comments received by the deadline would go up. We filed a Public Records Act request for them.
Many proposed rules “would add to the significant compliance burdens and operational challenges already imposed by the CCPA ... without a commensurate benefit to privacy,” wrote CTA: Expanding requirements for notices and disclosures could increase their complexity and make them harder for consumers to understand. Proposed rules add to challenges for verifying and responding to consumer requests posed by the statute, it said. Rules “should simply require businesses to employ a reasonable, risk-based verification method that aims to protect the consumer and prevent malicious ... obtaining information.”
Draft rules “require significant new actions that go beyond the Legislature’s original intent,” and “will result in a confusing barrage of notices and disclosures that frustrate consumers and fail to provide stronger protections,” complained the Internet Association. The AG office exceeded its mandate and is writing new rules too close to the Jan. 1 effective date, said IA: businesses started working on compliance months ago.
Proposed rules “may have significant and detrimental consequences to consumers by threatening their ability to access products and services,” said the Association of National Advertisers, seeking clarifications. ANA urged more flexibility about loyalty programs and not requiring businesses pass consumer opt-outs to parties to whom they sold information in the previous 90 days. It disagreed with a proposal to count do-not-track browser settings as a valid request. Thursday, the Interactive Advertising Bureau finalized a compliance framework (see 1910220023).
A coalition sought changes. Clarifying the definition of “sale” includes “the most pervasive and invasive form of information sale: passing information for targeted advertising,” would stymie a plan by some ad-tech companies to get around opt-out requirements, commented the American Civil Liberties Union, Electronic Frontier Foundation, Common Sense and other privacy groups. Honor do-not-track browser settings and remove “the overbroad exception to consumers’ right to access because of a ‘risk to security,’" the coalition said. Don’t let businesses charge for privacy or give exemptions to data brokers, it said.
“Digital advertising is a significant source of revenue to media outlets,” reminded the News Media Alliance. Give news organizations time to develop frameworks for consistent opt-outs, NMA said. Rules shouldn’t require businesses to treat unverified requests to delete as requests to opt out of selling personal information, it said. Restricting ability to use information from one business to benefit another “would have severe negative implications for publishers’ ability to use on any service provider that provides analytic services,” it said.
Preserve California Public Utilities Commission regulatory oversight of utilities, that agency urged. A statutory or regulatory exception in the proposed language seems to support “public utilities’ ability to decline customer deletion requests based on CPUC regulatory activities,” it said. Opting out of sales shouldn’t affect utilities’ data collection and sharing the utility uses the information “for a public purpose.”
The software industry wants to clarify service providers “may use personal information received from a business or consumer to serve another entity -- when a business or consumer directs it to,” said BSA|The Software Alliance. Allow providers to “combine information received from one or more businesses” when necessary, it said. Providers should have to respond only to customer requests sent by a business “to help avoid the privacy and security risks associated with requiring service providers to respond directly to consumers, with whom they generally lack a direct relationship.”
Draft rules "run afoul" of the First Amendment by proposing to regulate public-domain information and impose requirements upon businesses that don’t collect information directly from consumers, said the Software & Information Industry Association: Rules must reflect a CCPA tweak enacted this year (see 1910150037) to exclude publicly available information from the definition of personal information.
Ensure "reasonable means to address the security and integrity of online games and game networks,” the Entertainment Software Association said in Nov. 6 comments released by the AG last week. Publishers want "explicit confirmation that the CCPA does not prevent them from protecting players of online video games from harassment, malicious conduct, and cheating by other players and from detecting and preventing cyber intrusions.”
Digital content companies “are concerned that, similar to what happened with the GDPR, some third-party companies will attempt to avail themselves of creative implementations of compliance with the CCPA such as for instance declaring themselves to be a business or an agent of the first-party business with which the user is interacting -- in clear defiance of consumer expectations -- or by attempting to burden publishers with unreasonable compliance requirements on their behalf,” Digital Content Next commented Nov. 7.
Adopt a minimum set of reasonable information security practices to dispel uncertainty about an exception to CCPA's right of compensation to consumers in data breaches, proposed IT practitioners, attorneys and law enforcement involved with cybersecurity called SecureTheVillage. The exception is for breached businesses that have “reasonable security procedures and practices appropriate to the nature of the information being protected.”
Californians for Consumer Privacy disputed an economic analysis of CCPA costs by the Berkeley Economic Advising and Research (see 1910090020). "It vastly overstates the economic impact of CCPA, as a result of guesses made by the authors," the group wrote Nov. 19. The report overstates how many businesses would be covered, misreads the law and lacks supporting facts, said the group that was behind the ballot initiative that led to CCPA.