Speakers at December CCPA Hearings Reveal Biggest Lingering Compliance Gaps
This story was originally published on VentureBeat
Earlier this month, the California Office of the Attorney General (CAG) held hearings across four cities where the public could offer comments and feedback to lawmakers as part of the rulemaking process for the California Consumer Privacy Act (CCPA). The hearings drew speakers from across a variety of industries, and their oral comments, as well as other written comments sent to the CAG’s office by Friday, December 6 — are now available on the California Attorney General’s CCPA page.
While the hearings drew a number of concerns about the new data privacy law, which goes into effect January 1, four core issues emerged.
1. Crucial CCPA terms aren’t clearly defined
The most prominent concern that came out of the hearings was that terms central to the CCPA are unclear, making it difficult for companies to feel fully confident they are in compliance. At the San Francisco hearing alone, speakers said the definitions of personal information (PI) and service provider are unclear, as is what constitutes a sell. Speakers at the Los Angeles hearing made similar comments, adding that other terms like “business,” “reasonable security measures,” and “secure” transmissions of personal information were also unclear.
A common refrain was that the CCPA’s language was too vague or broad and overreaching. As a consequence, organizations have found key sections of the CCPA difficult to operationalize. They worry that the ambiguity of these terms could result in significant unintended consequences. For example, some argued that the broad definitions of PI and business may extend the reach of the CCPA to businesses that the AG likely had no intention of regulating, like small operations that serve fewer than 50,000 California customers but run high-traffic websites using cookies.
2. It’s unclear how CCPA’s scope affects other industry-specific regulation
Several commentators expressed confusion over the CCPA’s scope as it applies to companies that are already subject to industry-specific privacy legislation. At the San Francisco hearing, one speaker, representing a San Francisco credit union, indicated that the Gramm-Leach-Bliley Act (GLBA) and California Financial Information Privacy Act have definitions of PI that differ from the CCPA. She noted, though, that while the CCPA spells out exemptions to PI collected under the GLBA, inconsistencies in the definition of PI between laws have resulted in multiple interpretations about how the CCPA applies to data credit unions collect. Similar confusion may surround other regulations like HIPAA. At the Sacramento hearing, a speaker asked for clarification on how de-identification under the CCPA differs from de-identification under HIPAA, and how any de-identified data exempt from HIPAA should be handled by the CCPA.
3. Smaller organizations will have trouble meeting the January 1 deadline
Given the extensive scope of the CCPA, it’s no surprise that small and medium businesses have expressed concerns about the law’s reach and implications. Some organizations have said publicly that they’ll have substantial difficulty meeting the January 1 compliance deadline. At the San Francisco hearing, two speakers requested the compliance deadline be moved to 2022 to ensure their organizations could build a robust compliance program.
4. The system for data requests could be open to abuse
Speakers at the Los Angeles and San Francisco hearings also raised concerns about the potential for abuse with the request system. For example, they said that if companies were required to take unverified opt-out requests seriously, it could invite mass bot attacks by bad actors, either online or by phone. It’s been argued elsewhere that such abuse could effectively result in data request “denial of service” style attacks against organizations as their staff and infrastructure become tied up in an effort to respond to an unanticipated flood of fake requests. While tools exist to help automate data discovery and responses to data requests, some speakers argued that a “reasonable degree of certainty” should be the standard applied to requests, as that would give businesses more bandwidth to handle the issue.
What happens now?
Now that the hearings and the public comment period have passed, the CAG may use comments to revise the current draft regulations, after which the public will have 15 days (or longer) to provide comments on the revisions. So even though the CCPA goes into effect January 1, 2020, organizations should still expect changes to the law. Stakeholders should follow the rule-making process closely while making sure to submit any concerns to the CAG during the next comment period. Enforcement of the finalized law will begin July 1, 2020; however, organizations must make good faith efforts to comply starting January 1, 2020 and can be held liable for breaches of the law after this date.