AG Hearings on the CCPA to Be Held in December
By David Chavez, Attorney | 11.1.2019
The California Attorney General (AG) has set forth the rules governing compliance with the California Consumer Privacy Act (CCPA) and, starting on December 2d, will hold three hearings for public comment.
The rules and the hearings are of great interest to the InfoSec and privacy community because, while the law basically tells a business what it can and cannot do, it does not really go into detail on how to comply, with some exceptions. That exercise is left to the rule-making authority of the AG. Some of the rules are fairly straightforward but others are going to be far more difficult for the AG to corral and communicate. For example, the law allows a company to avoid compliance if such compliance conflicts with existing law. That could be complicated, but, impressively, the AG punts on it – basically leaving it up to the business that relies on the exception to explain the basis for the decision.
But a couple of other rules are going to be hard to implement, follow and enforce.
1. Notice at collection. Here a business is required to inform consumers of data collection activities at the time the info is collected. The disclosure needs to be “easy to read and understandable to the average consumer” in “plain, straightforward language”, in a format that “draws the consumer’s attention to the notice and makes the notice readable”. And, of course, it must be “visible or accessible where consumers will see it before any personal information is collected”. All of that sounds fine, but then, the AG proposes an example that completely swallows the rule. “For example,” the proposed rule reads, “it may conspicuously post a link to the notice on the business’s website homepage . . .”. Hence, it looks like the AG is punting on this one too. Just like the little buttons called “Privacy” and “Terms” that appear on the bottom of a content-rich homepage (see, e.g., Target’s homepage), this button will get completely lost among the various home page panels offerings deals, sales, close-outs, free shipping and the rest. In other words, the only people who will be examining this notice will be the privacy lawyers.
2. Non-Discrimination. A consumer can request that a company delete the consumer’s data, or stop sharing or selling the data and, if a consumer does make such a request, the responding business is prohibited from discriminating against a consumer for exercising that right.
The legislature describes the practice of discrimination as the usual discriminatory activity – such as denying goods and services to a customer, charging different rates, or providing a different level of goods or services. But that stricture is then diluted, big time. Notwithstanding the prohibition on discrimination, the law states “nothing prohibits a business from charging a customer a different rate, or providing a different level of service, if that difference is reasonably related to the value provided to the consumer by the consumer’s data”. So how much is your data worth? Especially if the business offers “financial incentives” for the use of your data – like a loyalty program? Here, the AG at least makes a valiant effort to provide guidance, but there are bound to be disputes, and very likely litigation.
In a remarkable display of rule-making courage, the AG proposes some directives for a reasonable and good faith calculation of the value of a consumer’s data. Note that the directives aren’t examples – the rules state the business “shall use one or more of the following”, including:
· the “marginal value” of the data,
· the “average value” of the data,
· the revenue or profit generated by the business,
· expenses related to the sale of the data or
· expenses related to the offer of a financial incentive and of course,
· “any other practical and reliable method of calculation used in good faith”.
How will businesses approach the proposed rules? Legislative hearings can be tedious affairs, but the hearings related to the new CCPA rules may have some sizzle. I’ll report back after they’ve concluded.