Top 5 Takeaways from the CCPA Hearings

Jan 23, 2020, 10:00 AM by BBB National Programs

In December, BBB National Programs staff attended the Attorney General hearings on the California Consumer Privacy Act (CCPA). The CCPA hearings were in the style of a public forum, with staff from the California Attorney General’s office listening intently to community input. (Written comments were also accepted and can be downloaded here.) The hearings included business representatives from a wide variety of industries and businesses of all sizes. Even with such diversity of industry, testimony coalesced around three main themes: (1) implementation hurdles such as the narrow timeline, (2) the need for clarity, and (3) the risk of unintended consequences.

 

Themes of the CCPA hearings:

 

Time and other hurdles. Businesses want to do right by their customers by embracing data privacy best practices. Many speakers described their ongoing efforts to align their practices with the requirements of CCPA and GDPR. These businesses realize that privacy is a differentiator, but many pointed to the narrow timeline of CCPA implementation as presenting a real obstacle to full compliance and stretching privacy budgets thin within their organization. Also top-of-mind for many commenters was the joint challenge of implementing fair and effective access and deletion tools while accurately authenticating requester identities.

 

The need for clarity. Testimony drew the Attorney General’s attention to the implementation questions that most urgently require clear guidance. Among these:

-          Do Not Sell My Information. What should the button look like? How should it function? Many commenters requested speedy guidance in this area, expressing concern at the risk of rolling out an implementation, but finding out later that they must start over.

-          Third parties. Is there overlap in the rules governing “service providers” and “third parties”? Are non-profits fully exempt?

-          Conflicts with other laws. Definitional issues, such as how personal information is defined under CCPA, could cause conflicts when implementing alongside other existing laws. Industries with existing regulations spoke up on this point. For example, how should financial institutions comply with CCPA in areas where it conflicts with state and federal financial privacy laws?

-          Notice requirements. How much detail must be included in public privacy notices? How much need only be provided to consumers at the time that they request access to their personal data?

 

Unintended consequences. Representatives of certain industries, such as auto manufacturers and mail order marketers, described expected outcomes of the CCPA that were probably not intended by legislators. Other requirements of the CCPA were tagged as particularly burdensome for small businesses. On the top of this list was the toll-free number provision, which many pointed to as significantly increasing compliance costs for small and medium enterprises, while describing the possible adverse effects on privacy of the inevitable use of third-party vendors to implement a toll-free privacy complaints line.

 

Takeaways for businesses:

 

BBB National Programs staff left the hearings with a renewed sense of the inevitability of strong privacy rules continuing to impact businesses of all sizes. Top-of-mind for many businesses was not the threat of enforcement from the Attorney General, but the specter of a motivated plaintiff’s bar making use of the CCPA’s private right of action. With this and future privacy laws in mind, we recommend continuing to adapt your practices to prepare for the full effect of CCPA-style rules. Specifically:

 

  1. Immediately take steps to align your practices with CCPA—and general data privacy best practices. Businesses will be expected to make efforts towards compliance. You must be engaged on compliance beyond mere words; you’ve got to be able to show something toward your efforts.
  2. Take data security seriously. Litigation under CCPA is likely to focus on data breaches. Make sure your business is prepared to prevent breaches and handle them correctly when they happen.
  3. Do not be afraid to implement a Do Not Sell My Personal Information button, even if it is a simple mechanism. Do not wait on the Attorney General to craft detailed guidance. Implement what works best for your organization in a manner that connects the dots between the law and your business practices.
  4. As always, remember to match what you’re saying with what you’re doing. Consistency is key and deception still forms the core of U.S. privacy enforcement.
  5. Keep track of your privacy compliance costs. Real numbers on the burdens of meeting compliance under new privacy regulations are going to continue to be important in ongoing discussions of privacy regulation.

 

Next steps:

As privacy compliance best practices continue to evolve, BBB National Programs remains committed to actively gathering feedback from our diverse stakeholders on their compliance efforts. If you are involved in privacy compliance within your business, and would like to be part of our discussions, please get in touch with us.  

Suggested Articles

Blog

Avoid Misleading Messages When Advertising Medical Devices

Advertisers of medical devices face complex tasks when marketing their products. In addition to complying with FDA regulations, medical device advertising is subject to the same truth-in-advertising principles set by the FTC. In addition to express claims, marketers are responsible for all the messages reasonably conveyed to consumers in their advertising and should ask some important questions to ensure consumers are not misled. Ask yourself these questions when advertising medical devices to avoid conveying misleading messages.
Read more
Blog

The Do’s and Don’ts of Buying Smart for Baby: A Primer from Privacy Experts

Researching a new product and finding the critical or in-depth information you are looking for to build confidence in your purchasing decision often requires sifting through superficial lists of “best products.” These lists are often sponsored by the products they feature, which means instead of a focus on being helpful they are full of incentivized endorsements and affiliate links. In this blog, we provide a list – not a sponsored list – of some do’s and don’ts for how to confidently research smart devices.
Read more
Blog

When Web Designs Turn Into Dark Patterns And What To Do About It

Recently I wrote about the proliferation of dark patterns and tried to give readers a sense of just how widespread these practices are. But it is not just the pervasiveness of dark patterns that has lawmakers and regulators concerned, it is the intent behind them and their impact on consumers. Nonprofit leaders, in particular, should be aware of this and how to guard against it given that they are well-positioned to garner and enhance consumer trust.
Read more
Blog

Politics Aside, Advertising Gains Guidance on Deception and Substantiation in the 1980s

As we continue to celebrate the 50th anniversary of the National Advertising Division (NAD) we are looking forward while taking stock of past decades, with a special focus on decisions and developments that continue to impact advertising law and NAD cases today. This month we highlight two pivotal moments from the 1980’s that helped shape NAD’s jurisprudence.
Read more