Top 5 Takeaways from the CCPA Hearings

Jan 23, 2020, 10:00 AM by BBB National Programs

In December, BBB National Programs staff attended the Attorney General hearings on the California Consumer Privacy Act (CCPA). The CCPA hearings were in the style of a public forum, with staff from the California Attorney General’s office listening intently to community input. (Written comments were also accepted and can be downloaded here.) The hearings included business representatives from a wide variety of industries and businesses of all sizes. Even with such diversity of industry, testimony coalesced around three main themes: (1) implementation hurdles such as the narrow timeline, (2) the need for clarity, and (3) the risk of unintended consequences.

 

Themes of the CCPA hearings:

 

Time and other hurdles. Businesses want to do right by their customers by embracing data privacy best practices. Many speakers described their ongoing efforts to align their practices with the requirements of CCPA and GDPR. These businesses realize that privacy is a differentiator, but many pointed to the narrow timeline of CCPA implementation as presenting a real obstacle to full compliance and stretching privacy budgets thin within their organization. Also top-of-mind for many commenters was the joint challenge of implementing fair and effective access and deletion tools while accurately authenticating requester identities.

 

The need for clarity. Testimony drew the Attorney General’s attention to the implementation questions that most urgently require clear guidance. Among these:

-          Do Not Sell My Information. What should the button look like? How should it function? Many commenters requested speedy guidance in this area, expressing concern at the risk of rolling out an implementation, but finding out later that they must start over.

-          Third parties. Is there overlap in the rules governing “service providers” and “third parties”? Are non-profits fully exempt?

-          Conflicts with other laws. Definitional issues, such as how personal information is defined under CCPA, could cause conflicts when implementing alongside other existing laws. Industries with existing regulations spoke up on this point. For example, how should financial institutions comply with CCPA in areas where it conflicts with state and federal financial privacy laws?

-          Notice requirements. How much detail must be included in public privacy notices? How much need only be provided to consumers at the time that they request access to their personal data?

 

Unintended consequences. Representatives of certain industries, such as auto manufacturers and mail order marketers, described expected outcomes of the CCPA that were probably not intended by legislators. Other requirements of the CCPA were tagged as particularly burdensome for small businesses. On the top of this list was the toll-free number provision, which many pointed to as significantly increasing compliance costs for small and medium enterprises, while describing the possible adverse effects on privacy of the inevitable use of third-party vendors to implement a toll-free privacy complaints line.

 

Takeaways for businesses:

 

BBB National Programs staff left the hearings with a renewed sense of the inevitability of strong privacy rules continuing to impact businesses of all sizes. Top-of-mind for many businesses was not the threat of enforcement from the Attorney General, but the specter of a motivated plaintiff’s bar making use of the CCPA’s private right of action. With this and future privacy laws in mind, we recommend continuing to adapt your practices to prepare for the full effect of CCPA-style rules. Specifically:

 

  1. Immediately take steps to align your practices with CCPA—and general data privacy best practices. Businesses will be expected to make efforts towards compliance. You must be engaged on compliance beyond mere words; you’ve got to be able to show something toward your efforts.
  2. Take data security seriously. Litigation under CCPA is likely to focus on data breaches. Make sure your business is prepared to prevent breaches and handle them correctly when they happen.
  3. Do not be afraid to implement a Do Not Sell My Personal Information button, even if it is a simple mechanism. Do not wait on the Attorney General to craft detailed guidance. Implement what works best for your organization in a manner that connects the dots between the law and your business practices.
  4. As always, remember to match what you’re saying with what you’re doing. Consistency is key and deception still forms the core of U.S. privacy enforcement.
  5. Keep track of your privacy compliance costs. Real numbers on the burdens of meeting compliance under new privacy regulations are going to continue to be important in ongoing discussions of privacy regulation.

 

Next steps:

As privacy compliance best practices continue to evolve, BBB National Programs remains committed to actively gathering feedback from our diverse stakeholders on their compliance efforts. If you are involved in privacy compliance within your business, and would like to be part of our discussions, please get in touch with us.  

Other Blog Articles

Blog

A Cashless Future

How close are we from entering into a world where cash is no longer accepted? Do we truly understand the benefits and implications of completely going cashless and relying solely on financial transactions that are intimately connected with our data? Dr. Shelle Santana, Associate Professor at the Harvard University Business School, answers these questions and more on this episode of the >Better Series podcast.
Read more
Blog

All Things CCPA

After years of debate, discussion, and revisions, the California Consumer Privacy Act (CCPA) -- a law that gives consumers a wide range of rights and creates a series of obligations for businesses -- finally began enforcement on July 1st. Cobun Zweifel-Keegan, Deputy Director of BBB National Programs' Privacy Initiatives, joined Julian Flamant, Associate at Hogan Lovells US LLP, and Heather Federman VP of Privacy and Policy at BigID to discuss what the CCPA means for businesses inside and outside of California.
Read more
Blog

Schrems II: What Do Privacy Shield Businesses Need to Know?

The July 16 decision from the CJEU, known as Schrems II, addressed two mechanisms for transferring EU individuals’ personal data outside the EU. As the situation continues to develop, and before making changes to their practices around international data transfers, businesses should pause to review their data flows, contracts, and substantive commitments, and their current chain of compliance and accountability for data received from the EU.
Read more
Blog

Contact Tracing and Tech: An International Comparison

To confront coronavirus, governments across the globe have devised approaches for tracing its spread and quarantining individuals known to be carriers, also known as “contact tracing.” While almost all strategies rely on traditional means of contacting and recording the movements of infected individuals, many employ modern communications technologies: sensors, Bluetooth, GPS, thermal recognition, facial-recognition, and geofencing.
Read more