On December 4th, the California Attorney General’s (AG) office held a public hearing in San Francisco on the California Consumer Privacy Act (CCPA). The hearing provided the public with an opportunity to take part in the CCPA rulemaking process. The rulemaking process is governed by the California Administrative Procedures Act which requires the AG to solicit comments from the public through hearings and in writing. The AG considers all comments, makes revisions to the proposed regulations where appropriate, and posts another draft of the regulations for public review and comment.The San Francisco hearing took place at the Milton Marks Conference Center where the room was packed with approximately 175 attendees, including TrustArc team members.
Representatives from the Office of the California AG started with a brief introduction and then allowed for pre-registered speakers to make their comments. With over 20 speakers, the public hearing lasted almost two hours and covered a wide range of CCPA-related topics and concerns. Below are some highlights from the hearing:
Individuals representing two different Bay Area credit unions spoke on the difficulties of complying with the complexities of the CCPA with a small staff and limited resources. Both asked for the enforcement date to be extended to January 1, 2022, pushing the date two full years. Extending the enforcement date would allow them the time needed to “get it right the first time,” they argued.
One of the co-authors of the CCPA text also spoke during the public hearing. He argued that the CCPA’s fifteen-day grace period for companies to process opt-out requests was simply too long, and the requests need to be processed immediately, up to 72 hours at the latest, adding, “If [a company] is able to start selling immediately, they should be able to stop selling immediately.”
A representative of an SF-based technology company criticized the “out of date” toll-free phone number required for CCPA compliance, especially for companies who conduct business solely online. She said the unnecessary requirement is expensive for companies to maintain, even if they do not receive a single phone call. She argued that companies could also become the targets of robo calls designed to exploit the way in which toll-free telephone numbers are billed to commit a fraud for profit.
Another speaker, a CPO with over 20 years of privacy experience in California, asked the AG’s office to clarify the definitions of “business,” “service provider,” and “3rd party.” She stated definitions were needed for these three terms because they are often used differently within the text of the CCPA.
A data privacy advocate and former elected official expressed his concern over whether large technology companies will take the CCPA seriously. He commented that based on his conversations with C-Suite executives, attitudes towards the CCPA have been very cavalier, with statements ranging from “I’ll wait until there’s fines” to “I’m retiring soon, so it’ll be someone else’s problem to deal with.” The speaker suggested the AG’s office carry out tight enforcement in order to truly protect consumers.
The §999.315(c) requirement, that businesses treat browser privacy signals as valid requests to opt out, received attention from several speakers. Advocates commended the proposed regulation as giving consumers an accessible method to express their intent, while opponents argued that it would frustrate actual consumer intent. Two speakers expressed their belief that consumer intent would be better inferred through their interaction with an opt-out link or button.
TrustArc is an active participant in privacy conferences and our team regularly attend policy hearings to help inform and shape our solutions. With privacy experts spanning the world in the U.S., Canada, Latin America, Europe and Asia, our team is at the forefront of the ever-changing privacy landscape. To speak with a privacy expert about the California Consumer Privacy Act, schedule a consultation today!