California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

This is the Data Protection Report’s sixth post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional CCPA posts.

The California Consumer Privacy Act of 2018 (“CCPA”), California’s new privacy law which takes effect on January 1, 2020, requires the Attorney General to adopt implementing regulations that further the objectives of the CCPA. Much concern has been raised about the law as currently written, including by Attorney General Xavier Becerra himself. With regulations set to be issued on or before July 1, 2020, the Attorney General’s Office will host six public forums to give key stakeholders an opportunity to provide feedback on the law and help shape the implementing regulations.

On January 8, 2019, the Attorney General’s office held the first of the six public rulemaking workshops in San Francisco. The comments made at the workshop reflect general concerns about perceived ambiguities in the law, as well as potential unintended consequences for businesses that collect information about California consumers.

Specific themes that emerged include:

Clarifying certain ambiguous definitions, including the definition of “personal information” and whether it includes IP addresses and inferences drawn from personal information to create a profile about a consumer. Others proposed narrowing the definition of “sale” to exclude online advertising.
A call for the Attorney General to establish a safe harbor provision for businesses that are GDPR compliant, as well as a call for greater synergy between the two laws.
Considering that the right of access provisions may actually undermine the law’s goal of limiting the collection of personal information because the law may require companies to collect data as part of identity verification that they would otherwise not collect.

In the wake of GDPR and CCPA, Congress is now proposing drafts of a first-ever comprehensive US federal data privacy law, which may get passed in 2019. State-preemption is one of the major sticking points and although there appears to be agreement that a national law would be preferable to the current patchwork of state and industry-specific privacy laws, the details of what and how such a federal law will be enforced have yet to be ironed out. The Federal Trade Commission will likely play some role in the enforcement as well as state Attorney Generals. We will continue to monitor developments in state laws, such as the CCPA, and the new federal law.

The dates and locations of additional public forums are listed below. Public comments are also accepted by email at privacyregulations@doj.ca.gov or by mail to the California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013.

January 14, 2019 10 AM – 1 PM, California State University, San Marcos, 333 S. Twin Oaks Valley Road San Marcos, CA 92096
January 24, 2019 10 AM – 1 PM, Cesar Chavez Community Center, 2060 University Avenue Riverside, CA 92507
January 25 2019 10 AM – 1 PM, Ronald Reagan Building, 300 S. Spring Street Los Angeles, CA 90013
February 5, 2019 10 AM – 1 PM, California State Building, 1500 Capitol Avenue Sacramento, CA 95814
February 13, 2019 10 AM – 1 PM California State Building, 2550 Mariposa Mall, Room 1036 Fresno, CA 93721

For more information or to begin preparing for CCPA compliance, please contact:

Jeewon Kim Serrato, San Francisco
Head of Data Protection, Privacy, and Cybersecurity, United States