Regular Californians and business owners are uneasy about the California Consumer Privacy Act (CCPA), based on the feedback submitted to the California attorney general’s office on the AG’s implementation regs.
The deadline to turn in comments to the AG’s office was Friday, Dec.6, which followed a 45-day public comment period.
Although lawyers and trade associations supplied long and detailed remarks, only a small handful of real-life consumers shared their thoughts on the draft regs, the purpose of which when finalized will be to fill in gaps in the law with operational guidance to help businesses comply.
But the consumers and small- to medium-sized businesses that took the time to respond appear concerned that the CCPA is going to, as one commenter put it, “victimize small businesses and sole proprietors like me and drive us out of California forever.”
Here’s what’s causing unease among business owners and citizens in California in the lead-up to the CCPA effective date on Jan. 1 – which is now less than one month away.
Compliance confusion
One commenter was angry that the AG doesn’t specify exactly what constitutes “personal information.”
“I am trying to understand what our business must do to comply … but I am not able to even begin this work, because the draft regulation does not define ‘personal information,’” the person wrote. “THIS APPEARS TO BE A MAJOR OVERSIGHT.” [emphasis theirs]
It’s not a major oversight, though. The statute itself does actually define personal information, albeit broadly. Confusion over the definition of personal information at this late date indicates that businesses are far behind in their compliance efforts.
We’re not big tech
Although CCPA applies to businesses large and small, there’s the perception that large tech companies, like Google and Facebook, will be better able to roll with the regulatory punches, and maybe even benefit from the new privacy law. They’ve got armies of lawyers to help them comply after all.
“My question about this law is ‘Cui bono?’ [Who stands to gain?],” asked one annoyed commenter, a self-described freelance writer.
“It is onerous for most businesses other than Facebook, Google, Apple, Microsoft, etc., (which will likely test the limits of any available loophole, since fines for them are part of the cost of doing business,” the commenter wrote. “It encourages and mandates data aggregation in a way that seems directly contrary to the protection of consumers’ privacy, and it’ll bring yet another new load of confusing legalese and notification banners that most consumers will never read.”
Carve-out questions
Businesses are also concerned about the types of data that are – and aren’t – covered under CCPA.
Most of the CCPA amendments that were signed into law by Gov. Gavin Newsom in October have to do with exempting certain types of data from the law, such as vehicle repair data, aggregate consumer information, public record data and data collected by government agencies as part of normal business transactions.
One California commenter was peeved that the law’s scope isn’t wide enough – “It’s critically important that government entities at all levels, for example the CA DMV, which makes $50 million [a] year selling personal data, are subject to the CCPA” – while another commenter was troubled that the law’s scope is too wide.
“Employee information is not sold and is only stored for record keeping; these records are used for insurance, payroll and accounting purposes in the normal course of business,” the person wrote. “The additional burden of the CCPA on companies that have nothing to do with consumer data would be burdensome and reinforce the notion that California is not a business-friendly state.”
Employee data collected from workers, job applicants or contractors could eventually be subject to the CCPA. One of the amendments that passed, AB 25, creates a one-year exemption for employee data, which means the legislature will have to revisit the issue again next year.
What’s next?
The AG will now sift through the submissions.
If the AG doesn’t make any substantive changes to the original version of the regs, they’ll be finalized and effective starting in early April 2020. If the AG’s office does end up making big tweaks to the first draft based on the comments it received, an updated draft will be circulated, kicking off a second 45-day comment period. In that case, the regs probably wouldn’t go into effect until the beginning of July.
If you’re a glutton for punishment or have a long commute, click here to read all 238 pages of written commentary on the first draft of the AG’s implementation regulations.