Top 5 Takeaways from the CCPA Hearings

Jan 23, 2020, 10:00 AM by BBB National Programs

In December, BBB National Programs staff attended the Attorney General hearings on the California Consumer Privacy Act (CCPA). The CCPA hearings were in the style of a public forum, with staff from the California Attorney General’s office listening intently to community input. (Written comments were also accepted and can be downloaded here.) The hearings included business representatives from a wide variety of industries and businesses of all sizes. Even with such diversity of industry, testimony coalesced around three main themes: (1) implementation hurdles such as the narrow timeline, (2) the need for clarity, and (3) the risk of unintended consequences.

 

Themes of the CCPA hearings:

 

Time and other hurdles. Businesses want to do right by their customers by embracing data privacy best practices. Many speakers described their ongoing efforts to align their practices with the requirements of CCPA and GDPR. These businesses realize that privacy is a differentiator, but many pointed to the narrow timeline of CCPA implementation as presenting a real obstacle to full compliance and stretching privacy budgets thin within their organization. Also top-of-mind for many commenters was the joint challenge of implementing fair and effective access and deletion tools while accurately authenticating requester identities.

 

The need for clarity. Testimony drew the Attorney General’s attention to the implementation questions that most urgently require clear guidance. Among these:

-          Do Not Sell My Information. What should the button look like? How should it function? Many commenters requested speedy guidance in this area, expressing concern at the risk of rolling out an implementation, but finding out later that they must start over.

-          Third parties. Is there overlap in the rules governing “service providers” and “third parties”? Are non-profits fully exempt?

-          Conflicts with other laws. Definitional issues, such as how personal information is defined under CCPA, could cause conflicts when implementing alongside other existing laws. Industries with existing regulations spoke up on this point. For example, how should financial institutions comply with CCPA in areas where it conflicts with state and federal financial privacy laws?

-          Notice requirements. How much detail must be included in public privacy notices? How much need only be provided to consumers at the time that they request access to their personal data?

 

Unintended consequences. Representatives of certain industries, such as auto manufacturers and mail order marketers, described expected outcomes of the CCPA that were probably not intended by legislators. Other requirements of the CCPA were tagged as particularly burdensome for small businesses. On the top of this list was the toll-free number provision, which many pointed to as significantly increasing compliance costs for small and medium enterprises, while describing the possible adverse effects on privacy of the inevitable use of third-party vendors to implement a toll-free privacy complaints line.

 

Takeaways for businesses:

 

BBB National Programs staff left the hearings with a renewed sense of the inevitability of strong privacy rules continuing to impact businesses of all sizes. Top-of-mind for many businesses was not the threat of enforcement from the Attorney General, but the specter of a motivated plaintiff’s bar making use of the CCPA’s private right of action. With this and future privacy laws in mind, we recommend continuing to adapt your practices to prepare for the full effect of CCPA-style rules. Specifically:

 

  1. Immediately take steps to align your practices with CCPA—and general data privacy best practices. Businesses will be expected to make efforts towards compliance. You must be engaged on compliance beyond mere words; you’ve got to be able to show something toward your efforts.
  2. Take data security seriously. Litigation under CCPA is likely to focus on data breaches. Make sure your business is prepared to prevent breaches and handle them correctly when they happen.
  3. Do not be afraid to implement a Do Not Sell My Personal Information button, even if it is a simple mechanism. Do not wait on the Attorney General to craft detailed guidance. Implement what works best for your organization in a manner that connects the dots between the law and your business practices.
  4. As always, remember to match what you’re saying with what you’re doing. Consistency is key and deception still forms the core of U.S. privacy enforcement.
  5. Keep track of your privacy compliance costs. Real numbers on the burdens of meeting compliance under new privacy regulations are going to continue to be important in ongoing discussions of privacy regulation.

 

Next steps:

As privacy compliance best practices continue to evolve, BBB National Programs remains committed to actively gathering feedback from our diverse stakeholders on their compliance efforts. If you are involved in privacy compliance within your business, and would like to be part of our discussions, please get in touch with us.  

Other Blog Articles

Blog

Status Update on Transatlantic Data Transfers: Building Bridges Takes Time

As 2020 draws to a close it is a good time to reflect on learnings about the future of authorized transatlantic data transfer mechanisms. In light of Brexit and continuing developments surrounding Schrems II, we discuss what the structure of the current Privacy Shield Framework can teach us much about what future commercial transfer mechanisms are likely to look like, as well as what businesses can do to shore up their compliance efforts.
Read more
Blog

Operation Income Illusion: A Positive Step by the FTC to Curb Deceptive Income Claims

The Federal Trade Commission (FTC)’s December 14 Operation Income Illusion initiative is a crackdown by the FTC and 19 federal, state, and local law enforcement partners against those that purport to offer significant income opportunities but that end up costing consumers thousands of dollars. This effort is consistent with an ongoing effort in the direct selling industry to ensure income claims are communicated truthfully and accurately.
Read more
Blog

CFBAI and CCAI 2019 Report on Compliance and Progress Published

BBB National Programs has published the Children's Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) Report on Compliance and Progress During 2019. The report finds excellent compliance by all companies participating in the programs from January 2019 – December 2019. The report also notes the CFBAI participants’ implementation of stricter Uniform Nutrition Criteria in 2020.
Read more
Blog

CARU’s Year in Review: Defining Kidvertising and Tackling Hot Topics Head On

During an uncertain year, the team at the Children’s Advertising Review Unit (CARU) stayed busy. Through casework, online conferences, an evolving technology landscape, updates to policy and guidelines, and new thought leadership, our efforts furthered our mission to help companies comply with the laws and guidelines that protect children and their personal data.
Read more