The California Office of the Attorney General (OAG or Office) held the first two of its six public forums on January 8, 2019 in San Francisco and on January 14, 2019 in San Diego to solicit public comments and feedback in preparation for its rulemaking efforts under the California Consumer Privacy Act (CCPA). The OAG specifically welcomed comments across seven rulemaking categories that are included in the responsibility of the OAG:

1. Categories of “personal information”
2. Definition of “unique identifier”
3. Exceptions to the CCPA
4. Submitting and complying with requests
5. The uniform opt-out logo or button
6. What notices and information should businesses be required to provide to consumers
7. Verification of consumers’ requests

In San Francisco, 14 speakers from businesses, nonprofit organizations, trade associations, universities, Perkins Coie and individual consumers sought clarifications to definitions in, and scope of, the statute and provided specific suggestions. In San Diego, a total of five speakers, including representatives from a trade association and a cybersecurity consulting firm, shared their input.

Requests for Clarification. Speakers identified common areas of ambiguity in the statute that impact both businesses and individual consumers. For example, speakers sought clearer definitions of “business,” “sale,” “consumer” and “specific pieces of information.” Specific concerns were raised regarding the definition of “sale” as it relates to the digital advertising space, the exemptions of the non-discrimination provisions and the placement of the opt-out button. 

Scope of the Definition of “Personal Information.” Several speakers touched on the definition of “personal information.” Some asked the OAG to ensure that its current expansiveness remains, while others expressed concern that the definition is over-inclusive, specifically in its inclusion of IP addresses given that IP addresses are not actually capable of identifying only a single individual, but can be associated with a household or even an entire company. Other speakers added the concern that the broad scope of the definition of “personal information” may cause some businesses to delete or share too much information.

Safe Harbor. Speakers asked the OAG to support and implement safe harbor procedures for businesses to follow. Specifically, Perkins Coie Partner Jim Snell suggested that safe harbors be created so businesses may satisfy their compliance obligations under the Act in ways endorsed and protected by the OAG. A consulting firm representing startups and small businesses, including realtors and travel professionals, requested a safe harbor adhering to existing reasonable security standards set forth by the National Institute of Standards and Technology (NIST) in Special Publication 800-53.

Non-Discrimination Provisions. Speakers sought clarification regarding the ambiguity in the CCPA’s non-discrimination provisions and requested additional clarity related to the non-discrimination provisions’ application to consumer marketing programs, such as loyalty card programs. 

Template Forms. A speaker in San Diego requested that the OAG create a template or standardized form for entities to use to properly verify the identity of data subjects submitting requests under the CCPA.

The OAG continues to encourage attendance and participation in the remaining CCPA Rulemaking Public Hearings and the submission of written comments to the OAG (privacyregulations@doj.ca.gov).

Many specific issues faced by companies have not yet been discussed in the rulemaking. Yet, companies have an important opportunity to influence the rulemaking process. Perkins Coie is organizing comments for businesses, which will be anonymized and included in a report prepared by Perkins Coie to the AG’s office. Should you wish to be included, please submit your comments through our CCPA comment portal. Also, please remember to participate in our CCPA Readiness Surveyto assess how your company compares to others when it comes to CCPA readiness and find out what approaches other companies are taking to become CCPA-compliant.