Top 5 Takeaways from the CCPA Hearings

Jan 23, 2020 by BBB National Programs

In December, BBB National Programs staff attended the Attorney General hearings on the California Consumer Privacy Act (CCPA). The CCPA hearings were in the style of a public forum, with staff from the California Attorney General’s office listening intently to community input. (Written comments were also accepted and can be downloaded here.) The hearings included business representatives from a wide variety of industries and businesses of all sizes. Even with such diversity of industry, testimony coalesced around three main themes: (1) implementation hurdles such as the narrow timeline, (2) the need for clarity, and (3) the risk of unintended consequences.

 

Themes of the CCPA hearings:

 

Time and other hurdles. Businesses want to do right by their customers by embracing data privacy best practices. Many speakers described their ongoing efforts to align their practices with the requirements of CCPA and GDPR. These businesses realize that privacy is a differentiator, but many pointed to the narrow timeline of CCPA implementation as presenting a real obstacle to full compliance and stretching privacy budgets thin within their organization. Also top-of-mind for many commenters was the joint challenge of implementing fair and effective access and deletion tools while accurately authenticating requester identities.

 

The need for clarity. Testimony drew the Attorney General’s attention to the implementation questions that most urgently require clear guidance. Among these:

-          Do Not Sell My Information. What should the button look like? How should it function? Many commenters requested speedy guidance in this area, expressing concern at the risk of rolling out an implementation, but finding out later that they must start over.

-          Third parties. Is there overlap in the rules governing “service providers” and “third parties”? Are non-profits fully exempt?

-          Conflicts with other laws. Definitional issues, such as how personal information is defined under CCPA, could cause conflicts when implementing alongside other existing laws. Industries with existing regulations spoke up on this point. For example, how should financial institutions comply with CCPA in areas where it conflicts with state and federal financial privacy laws?

-          Notice requirements. How much detail must be included in public privacy notices? How much need only be provided to consumers at the time that they request access to their personal data?

 

Unintended consequences. Representatives of certain industries, such as auto manufacturers and mail order marketers, described expected outcomes of the CCPA that were probably not intended by legislators. Other requirements of the CCPA were tagged as particularly burdensome for small businesses. On the top of this list was the toll-free number provision, which many pointed to as significantly increasing compliance costs for small and medium enterprises, while describing the possible adverse effects on privacy of the inevitable use of third-party vendors to implement a toll-free privacy complaints line.

 

Takeaways for businesses:

 

BBB National Programs staff left the hearings with a renewed sense of the inevitability of strong privacy rules continuing to impact businesses of all sizes. Top-of-mind for many businesses was not the threat of enforcement from the Attorney General, but the specter of a motivated plaintiff’s bar making use of the CCPA’s private right of action. With this and future privacy laws in mind, we recommend continuing to adapt your practices to prepare for the full effect of CCPA-style rules. Specifically:

 

  1. Immediately take steps to align your practices with CCPA—and general data privacy best practices. Businesses will be expected to make efforts towards compliance. You must be engaged on compliance beyond mere words; you’ve got to be able to show something toward your efforts.
  2. Take data security seriously. Litigation under CCPA is likely to focus on data breaches. Make sure your business is prepared to prevent breaches and handle them correctly when they happen.
  3. Do not be afraid to implement a Do Not Sell My Personal Information button, even if it is a simple mechanism. Do not wait on the Attorney General to craft detailed guidance. Implement what works best for your organization in a manner that connects the dots between the law and your business practices.
  4. As always, remember to match what you’re saying with what you’re doing. Consistency is key and deception still forms the core of U.S. privacy enforcement.
  5. Keep track of your privacy compliance costs. Real numbers on the burdens of meeting compliance under new privacy regulations are going to continue to be important in ongoing discussions of privacy regulation.

 

Next steps:

As privacy compliance best practices continue to evolve, BBB National Programs remains committed to actively gathering feedback from our diverse stakeholders on their compliance efforts. If you are involved in privacy compliance within your business, and would like to be part of our discussions, please get in touch with us.  

Suggested Articles

Blog

Are used cars covered under lemon laws?

Do your homework to make sure the used car you plan to buy is not a lemon, and if it is, does the lemon law cover it? The answer may depend on where you purchased the vehicle or where you live.
Read more
Blog

Case Study: Getting to Compliance with CARU and COPPA

In a recent case, CARU worked with TickTalk to help them achieve compliance with CARU’s Privacy Guidelines and the Children’s Online Privacy Protection Act (COPPA). CARU sat down with TickTalk once the case had closed to discuss their experience as well as some of the privacy challenges many companies face in the children’s space.
Read more
Blog

What to Know About the Georgia Lemon Law

BBB AUTO LINE provides an overview of each state’s lemon laws. In our ongoing blog series, we offer further insights on the laws for select states, and how BBB AUTO LINE can support consumers with lemon law disputes. Florida, California, and Texas have been covered. This post reviews the nuances of the lemon law in the Peachtree State – Georgia.
Read more
Blog

The TAPP Roadmap: Helping U.S. Companies Responsibly Collect and Manage Teenager Data

The TeenAge Privacy Program (TAPP) Roadmap was designed to assist any business that wishes to engage proactively with teen consumers, providing an operational framework to map the broad spectrum of potential harms impacting teens onto a concrete set of operational considerations.
Read more