Many Industries Seek to Sway California AG on CCPA Reading
Industries sought clarification or carve-outs to the California Consumer Privacy Act (CCPA), in comments last month to Attorney General Xavier Becerra (D). The state Department of Justice released a 1,305-page PDF Tuesday containing March 8 comments from its pre-rulemaking after our Public Records Act request (see 1903120036) and we obtained others (see 1903110042). Technology, finance, medical, insurance, entertainment, advertising and other industries weighed in. Hot topics included implementation date, verifying consumer requests, and definitions of households, personal information and other terms.
"Consumers want real privacy protections,” said Consumer Reports, opposing business calls for looser interpretations to the law that takes effect Jan. 1. The deadline for the AG rulemaking is July 1, 2020. “The AG should reject requests to narrow the categories of personal information covered by the law and the definition of unique identifier, to ensure that sensitive data is protected.” The AG should tighten restrictions on targeted ads and make it easy to opt out by honoring do-not-track browser requests and by creating a Do Not Sell registry like the Do Not Call list, CR said.
The AG should confirm “that not all information that can be linked to a rotating or resettable device-generated identifier is necessarily 'personal information,'” Apple said. “Keying data to rotating or resettable device-generated identifiers that are not associated with personally identifiable information are important techniques that protects user privacy.” Linking consumers to data previously keyed to such identifiers for CCPA compliance increases risk private information could be revealed in a data breach, it said. Recognize “the benefit of requiring sign-on to an existing account for verification provided such account has reasonable and appropriate security controls for access to personal information,” Apple recommended.
"The CCPA could stifle the continued growth of the creative economy and actually work to undermine existing practices designed to protect consumer information,” MPAA said. “The AG should issue guidance that personal information is not sold in cases where personal information is shared and used for content and service-related purposes as part of a joint venture, partnership or similar.”
CCPA coverage shouldn't retroactively cover data before Jan. 1, said the American Association of Advertising Agencies, Association of National Advertisers and other advertising groups jointly. Advertisers seek a flexible privacy framework.
California-specific groups representing national industries also commented.
Be flexible on how businesses verify consumer requests, urged the California Cable Telecommunications Association. “Allow businesses to verify requests based on, among other factors, a consumer's relationship with the business,” said CCTA. "This relationship varies depending if the consumer is a current account holder, former account holder, someone who is not an account holder but has a business relationship, or the consumer has no relationship with the entity subject to the CCPA.” Protect businesses from liability “if an unauthorized disclosure occurs even while verifying a consumer request with a permissible method,” it said.
Don't disrupt a burgeoning IoT industry, said the California Manufactures and Technology Association. "It is unclear whether a manufacturer of a connected device, 'A' that communicates with second connected, 'B' has any obligations to the owner of Device B if Device A receives the device ID of B,” it said. Broad reading of the definition of “household” could inadvertently cover guests “in the home for only a few minutes that use a smart refrigerator,” it said.
“Literal adherence to the CCPA would require businesses to respond to consumer rights requests by providing personal information about an entire household or device, thereby reducing privacy protections,” said the California Chamber of Commerce. The chamber sought clarification that businesses don’t have to expose protected intellectual property. The definition of personal information should exclude “information not ‘reasonably’ capable of being associated with a consumer,” it said. “Pseudonymous information is not reasonably linkable to individual consumers” and businesses shouldn’t have to re-link such information to comply with a consumer request, it said.
Making CCPA more like GDPR and other privacy regimes would protect privacy and provide certainty to businesses, said Google. Handle deletion requests like EU's general data protection regulation that lets businesses "carefully weigh user deletion requests against other legitimate grounds for retaining data,” it said. "Access to a secured account from which information is being requested has proven the most reliable indicator of a requesting user's identity and their entitlement to receive information associated with the relevant identifier,” Google said. “Absent such a showing, these kinds of requests can be exploited by fraudsters, other malicious actors, and even domestic abusers.”
CCPA's non-discrimination language, "if interpreted and applied strictly, could disrupt the offering of video games through ad-supported and similarly innovative business models that have made it possible for a broad swath of players to access video games for little or no cost," the Entertainment Software Association warned. "Modem game development and publishing is heavily dependent on data analysis and, to some extent, customized advertising, especially in the context of mobile games.”
Nontraditional tech stakeholders also weighed in.
“Civil damages authorized by the law are unreasonably burdensome and guarantee at least $100 to individuals whose personal information was part of an unauthorized access, exfiltration, theft or disclosure, who suffered no harm,” said the American Financial Services Association. “These damages would add up very quickly in the event of a large breach or a class action suit that could involve millions of customers.” Exempt data processing used for anti-fraud purposes, said Experian. The definition of personal information could jeopardize the accuracy of data in commercial credit reports, it said.
Harmonize the bill with existing financial privacy rules, and delay compliance requirements and enforcement activity until 12 months after regulatory standards, said the Bank Policy Institute. Align standards and requirements with existing privacy laws including the GDPR, said Github. Sync CCPA with state and federal insurance privacy rules, said the Association of California Life and Health Insurance Companies. Avoid conflicts with the Children's Online Privacy Protection Act, said the Toy Association.
Top car companies seek clarification “that automakers, and other businesses that process information associated with devices that are frequently operated by multiple users, are not required to provide in response to an access request specific pieces of personal information that have the potential to ‘adversely affect the rights and freedoms of other consumers,’” commented the Auto Alliance. Automakers share personal information with third parties that provide roadside assistance and other help, the alliance said.