Internet Association Warns California AG Not to Amplify Privacy Law's Flaws
Internet companies urged flexible reading of California’s privacy law. The California Consumer Protection Act (CCPA) will be enforced from Jan. 1, though Attorney General Xavier Becerra (D) has until July 1, 2021, to adopt rules and guidance interpreting CCPA. “It would be unfortunate if the lack of clarity or conflicts in the statute were amplified in the implementing regulations,” the Internet Association commented. Privacy advocates urged the AG to make it easy for consumers to take advantage of CCPA rights, while some specialized industries sought exemptions.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The AG office plans to publish proposed rules this fall, while the legislature separately weighs possible amendments to the law (see 1902010015). The AG office hosted forums and sought written comments before the rulemaking’s formal start. Comments weren't posted by the government but we obtained some.
IA supports “consumer rights to access, deletion, transparency, and choice” but is concerned how they were implemented here: “In some cases a literal reading of the statutory text creates direct conflicts between provisions.” Don’t require businesses “respond to access and deletion requests in ways that require the businesses to make determinations as to which common identifier is associated with a specific individual or respond to requests in ways that may negatively impact other consumers,” IA said. Be flexible on how consumers submit opt-out and deletion requests, it urged. Give “reasonable discretion to the responding company as to how to authenticate a consumer request, rather than prescriptive measures that could be circumvented or become outdated,” IA said.
Internet companies agree they shouldn’t discriminate against customers who exercise privacy rights, but CCPA language could create unintended consequences, IA said. “If a consumer exercises the right to delete their personal information, such as their billing information, a business will not be able to charge the consumer for subscription services,” but “an arguable reading of section 1798.125, subdivision (a)(1)(A) would be that a business cannot deny a consumer a service, even a fee service, based on the deletion of personal information even if that results in the consumer defaulting on payment.”
AG rules should “protect the privacy and security of consumers from fraudulent requests for their data, while ensuring that consumers can readily make bona fide requests,” the Electronic Frontier Foundation commented. Consumers should be able to opt out of personal data sales automatically using browser-based “do not track” requests, EFF said. A CCPA requirement consumer requests be “verifiable” shouldn’t make opting out difficult, EFF said. “Opt-out requests do not raise significant privacy and security hazards for consumers, so there is no need for verification,” it said.
The AG should give guidance on CCPA’s opt-in requirement for personal information of those under 16, Common Sense Media said. “Children visiting sites, services, and businesses should not have the misimpression that companies are selling their information,” and opted-in children should be able to opt out anytime, the privacy advocate said.
Exempt education technology vendors, urged the Software and Information Industry Association. “There is a strong potential for confusion and conflict with contracts established between an educational technology vendor and the school or state/local government agencies, as well as the legitimate educational interests and the direct control that schools and state/local government agencies are to have over student records by law.” SIIA doesn’t seek exemption for cases where there's a direct relationship between the business and consumer.
Ensure CCPA protects news-media freedom, said the News Media Alliance. News publishers should still be able to use ads to support low-cost and widely available journalism, it said. The AG should clarify that sharing personal information by a news organization with another business isn’t a sale, it said.
The AG should support a federal privacy law pre-empting states, the Information Technology and Innovation Foundation commented. CCPA increased regulatory costs and complexity for businesses, ITIF said. Don’t enforce CCPA outside California but do clarify exemptions for financial, healthcare and other data protected by existing laws, ITIF said. Legislators shouldn’t expand CCPA as Becerra proposed last month (see 1902250067), ITIF said.