Some Answers, But Some Big Questions Remain

On February 7, the California Attorney General (AG) issued revised regulations regarding how the California Consumer Privacy Act (CCPA) will be interpreted and enforced. ANA is in the process of carefully analyzing these important proposed changes. We will be filing detailed comments on them before the February 25 deadline. Here’s what we note so far.

The new proposal positively includes some suggestions made by ANA and others in the business community to clarify the CCPA. For example, a few definitions (such as that for “personal information”) have been tightened, and further guidance about treatment of data in employment-related matters has been provided. Some unnecessary and perhaps duplicative requirements were replaced by less burdensome obligations (such as permitting businesses registered in California as “data brokers” to provide a link to their privacy policies through the registry rather than having to obtain signed attestations and example data collection notices). No longer is there a mandatory two-step process to confirm a request to delete information. 

Service providers also have some leeway regarding use of personal information, and businesses now must notify third parties of an opt-out if they sell personal information before they can comply with the request. Kudos to the AG and his staff for these changes, which should clarify some of businesses’ responsibilities in complying with the CCPA in furtherance of consumer privacy.

Nevertheless, the regulations still have significant problems that, if left uncorrected, will negatively impact both consumers and businesses. Among others, vague phrases are used that will be subject to unpredictable interpretation, such as when information can be “reasonably linked,” when collection notices are “reasonably accessible” to persons with disabilities, and the like. An obligation still exists to identify categories of third parties to whom information is sold or disclosed. It appears that, while the definition of “household” has been modified so as not to be based merely on occupancy of a location, the term requires that each individual in a household be verified. Businesses also will be unable to charge fees (including fees for notary services) to cover the costs of verifying a consumer’s request to know or delete.

One big concern for advertisers is that the proposed regulations provide that a browser setting indicates a consumer’s intent to opt out of a data sale. The proposal further states that, if a global setting conflicts with a specific privacy setting, it must be honored but the business can alert the consumer about the conflict and the consumer can indicate his/her intentions. The proposed mandated browser signal provisions would preclude consumers from making individual choices about data transfers by specific businesses, hindering the advertising community’s ability to market specifically to that consumer. 

Also, the revised proposed regulations attempt to address earlier concerns about loyalty and reward programs, but the adjustments may have made things worse. The new regulations now provide that if a business cannot make a “good-faith” estimate of the value of data or show that the financial incentive or the difference in a price or service is “reasonably” related to data value, the business can’t offer the financial incentive or price/service difference. Does that mean, for example, that each time a business offers a consumer a lower price for a product — like a coupon or discount code — this calculation of value must occur? Must a new calculation occur each time a service term is modified? The downside of these proposals, of course, is that loyalty programs could become so confusing and burdensome that they just aren’t offered, and that would be very unfortunate for both consumers and businesses.

We will continue to evaluate the AG’s latest draft and provide comments as appropriate during this review period.  Though enforcement won’t begin until July 1, there’s very little time for the AG to provide further clarifications about the law. Absent clear rules of the road, both consumers and businesses will be left guessing about their rights and obligations. Guessing games for values as fundamental as privacy are not a good situation for anyone involved.