U.S. Markets open in 4 hrs 42 mins

What Big Law, Tech Leaders Say About California's New Data-Privacy Law

California Attorney General Xavier Becerra testifies in Washington in September. Credit: Diego M. Radzinschi/ ALM

Attorney General Xavier Becerra invited the public to share thoughts on what should be included in upcoming regulations enacting the California Consumer Privacy Act, the landmark law also known as the CCPA that gives consumers power over what personal data businesses can collect about them.

More than 1,300 pages of written pleas were submitted for more restrictive language and demands that the law, set to take effect in 2020, be applied as broadly as possible. The Attorney General's Office is now reviewing those comments and expects to issue proposed regulations in the fall.

Here are some snippets of comments submitted by lawyers and tech leaders.

>> A team from Loeb & Loeb, representing midsized and large companies interacting with California consumers, urged state leaders to clarify the CCPA's applicability to workplace relationships: "Because an employer/employee relationship is fundamentally different from that of a business/consumer, the CCPA is likely to adversely affect an employer's routine business operations, and, in some instances, it may be administratively impossible for an employer to determine which records may be subject to such CCPA requirements and which are excluded … raising obstacles to implementation and privacy concerns."

Loeb & Loeb suggested limiting what information a person can seek about other household members: "The attorney general should clarify that no individual consumer has the right to request access to, or deletion of, the personal information of any other individual consumer, even if the other consumer is a member of the same 'household.' Only aggregate 'household information,' such as 'household income' or 'household utility use,' should be provided to an individual consumer in response to such a request."

The law firm also offered this suggestion: Don't define the transfer of personal information in a financial transaction as a sale. "Financial institutions need to transfer personal information in connection with certain financial transactions such as the sale of a loan or loan portfolio, the sale of a credit card account or portfolio of accounts, securitizations and the servicing of any of the foregoing."

An Apple store. Credit: Mike Scarcella / ALM

>> Katie Kennedy, privacy and information security counsel at Apple Inc., urged California to change the definition of personal information: "We encourage the attorney general to support and encourage privacy-protective technologies and design choices, including by confirming that not all information that can be linked to a rotating or resettable device-generated identifier is necessarily 'personal information.'"

Kennedy added: "Linking identified consumers to data that was previously keyed to rotating or resettable device-generated identifiers solely for CCPA compliance purposes increases the risk that private information about the individual could be revealed in the event the data is subject to unauthorized access (e.g., a data breach)."

Kennedy also said the state should not require the use of government IDs, such as drivers licenses, to verify the identity of those who want access to their data. "While there are many considerations to address in the verification process, we encourage the attorney general to ensure that the verification requirements will not obligate businesses to collect sensitive information unnecessarily or displace existing reasonably secure verification mechanisms," she said.

More from Kennedy's comment: "Today, countless popular services allow consumers to use a username and password to access online accounts that contain sensitive information (e.g., banking, email, medical services). As a result, it would be reasonable to treat CCPA requests made through an account that a user has previously established with the business as being verified, provided that the business maintains reasonable account security procedures."

>> Alan Friel, a Baker & Hostetler partner, filed a comment on behalf of "businesses of all sizes, and in most industries, directly affected by the California Consumer Privacy Act (CCPA)." Friel said businesses should be given broad flexibility to verify the identities of people seeking access to personal information collected about them. "To the extent the regulations require collection of additional personal information to verify a requesting party's identity or residency, the regulations should provide that the business may maintain that information for record keeping," he wrote.

Friel's comment said "businesses should be provided a safe harbor from any liability that might arise out of following such regulations"—for instance, "claims by a data subject that was impersonated by a party that was able to meet the verification standards of the regulations."

The state should keep the provisions allowing the attorney general to provide guidance to businesses and a 30-day window to address violations, Friel wrote. "Such regulations guiding the opinion and notice of cure obligations of the AG further the purpose of the title by prioritizing compliance (i.e., "fix it") over punishment (i.e., "gotcha"), especially as to businesses that can be shown to have acted in good faith."

Mayer Brown offices in Washington. Credit: Diego M. Radzinschi / ALM

>> Mayer Brown partner Philip Recht, representing "a variety of companies that provide background report, e-commerce fraud detection, and other people search services," urged California to tighten up the definition of personal information that "is capable of being associated with" a consumer. "The AG's regulations should make clear that PI includes only data that is 'reasonably' capable of being associated with a particular consumer," Recht wrote.

"Without further guidance, businesses seeking to avoid claims of non-compliance may err on the side of over-disclosing, providing a requesting consumer with data concerning all others with shared names, addresses and other attributes, even in the absence of information indicating any reasonable link between that data and the consumer," Recht said in his comment.

Recht also suggested expanding and clarifying the definition of personal information available from government records—information that is not subject to the CCPA's disclosure, deletion and opt-out requirements.

>> Cynthia Pantazis, director of policy and state affairs at Google, said in her comment that California should more closely align the CCPA's data-deletion requirements with those of the European Union General Data Protection Regulation.

"Rather than provide for a balancing test to carefully weigh a user's deletion request against a business's legitimate grounds for retaining data, the CCPA delineates a number of ambiguous exclusions that businesses can rely upon when denying such a request," Pantazis wrote. "We believe these exclusions—as well as the contours of the deletion framework more generally—would benefit from greater clarity and guidance, such as on the scope of information subject to the deletion right."

Pantazis also said the state should restrict the reach of the prohibition against sales of a consumer's data. "The definition of 'sale' under the CCPA, however, is vague and subject to a number of critical ambiguities that could render it untethered from both the common meaning of that term and the risks that can flow from the actual sale of personal information."

California's regulatory guidance "should clarify that the CCPA's definition of 'sale' is aligned with common understandings of that term, namely where a business directly exchanges personal information for monetary compensation, and excludes circumstances where data is transferred not for monetary or other direct value, but in order to facilitate the basic operation of a website or other commonly used product or service."