Top 5 Takeaways from the CCPA Hearings

In December, BBB National Programs staff attended the Attorney General hearings on the California Consumer Privacy Act (CCPA). The CCPA hearings were in the style of a public forum, with staff from the California Attorney General’s office listening intently to community input. (Written comments were also accepted and can be downloaded here.) The hearings included business representatives from a wide variety of industries and businesses of all sizes. Even with such diversity of industry, testimony coalesced around three main themes: (1) implementation hurdles such as the narrow timeline, (2) the need for clarity, and (3) the risk of unintended consequences.

Themes of the CCPA hearings:

Time and other hurdles. Businesses want to do right by their customers by embracing data privacy best practices. Many speakers described their ongoing efforts to align their practices with the requirements of CCPA and GDPR. These businesses realize that privacy is a differentiator, but many pointed to the narrow timeline of CCPA implementation as presenting a real obstacle to full compliance and stretching privacy budgets thin within their organization. Also top-of-mind for many commenters was the joint challenge of implementing fair and effective access and deletion tools while accurately authenticating requester identities.

The need for clarity. Testimony drew the Attorney General’s attention to the implementation questions that most urgently require clear guidance. Among these:

• Do Not Sell My Information. What should the button look like? How should it function? Many commenters requested speedy guidance in this area, expressing concern at the risk of rolling out an implementation, but finding out later that they must start over.
• Third parties. Is there overlap in the rules governing “service providers” and “third parties”? Are non-profits fully exempt?
• Conflicts with other laws. Definitional issues, such as how personal information is defined under CCPA, could cause conflicts when implementing alongside other existing laws. Industries with existing regulations spoke up on this point. For example, how should financial institutions comply with CCPA in areas where it conflicts with state and federal financial privacy laws?
• Notice requirements. How much detail must be included in public privacy notices? How much need only be provided to consumers at the time that they request access to their personal data?

Unintended consequences. Representatives of certain industries, such as auto manufacturers and mail order marketers, described expected outcomes of the CCPA that were probably not intended by legislators. Other requirements of the CCPA were tagged as particularly burdensome for small businesses. On the top of this list was the toll-free number provision, which many pointed to as significantly increasing compliance costs for small and medium enterprises, while describing the possible adverse effects on privacy of the inevitable use of third-party vendors to implement a toll-free privacy complaints line.

Takeaways for businesses:

BBB National Programs staff left the hearings with a renewed sense of the inevitability of strong privacy rules continuing to impact businesses of all sizes. Top-of-mind for many businesses was not the threat of enforcement from the Attorney General, but the specter of a motivated plaintiff’s bar making use of the CCPA’s private right of action. With this and future privacy laws in mind, we recommend continuing to adapt your practices to prepare for the full effect of CCPA-style rules. Specifically:

1. Immediately take steps to align your practices with CCPA—and general data privacy best practices. Businesses will be expected to make efforts towards compliance. You must be engaged on compliance beyond mere words; you’ve got to be able to show something toward your efforts.
2. Take data security seriously. Litigation under CCPA is likely to focus on data breaches. Make sure your business is prepared to prevent breaches and handle them correctly when they happen.
3. Do not be afraid to implement a Do Not Sell My Personal Information button, even if it is a simple mechanism. Do not wait on the Attorney General to craft detailed guidance. Implement what works best for your organization in a manner that connects the dots between the law and your business practices.
4. As always, remember to match what you’re saying with what you’re doing. Consistency is key and deception still forms the core of U.S. privacy enforcement.
5. Keep track of your privacy compliance costs. Real numbers on the burdens of meeting compliance under new privacy regulations are going to continue to be important in ongoing discussions of privacy regulation.

Next steps:

As privacy compliance best practices continue to evolve, BBB National Programs remains committed to actively gathering feedback from our diverse stakeholders on their compliance efforts.

The BBB EU Privacy Shield program, a division of BBB National Programs, provides compliance assistance for U.S. businesses preparing for self-certification under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as well as ongoing review of the Privacy Shield notices and certifications of participating businesses and up-to-date guidance on privacy compliance. At its core, BBB EU Privacy Shield operates an independent third-party dispute resolution mechanism enabling European Union and Swiss individuals to resolve Privacy Shield complaints against participating businesses.