Companies want changes to 'subjective' California data privacy rules
Bankers, insurers and other business representatives continue to complain that the new rules are too vague and cumbersome.
Lobbyists, attorneys and trade group representatives packed a Sacramento conference room Monday for the first public comment session on proposed rules for the California Consumer Privacy Act.
Only a handful of those in attendance, however, offered any public thoughts on the data privacy law that goes into effect Jan. 1. Most in the audience simply tapped notes on laptops or scribbled on legal pads. Organizers from the Attorney General’s Office closed the meeting after about 90 minutes due to a lack of speakers.
That’s not to say the law and the regulations that will guide its enforcement aren’t controversial.
Software developers, bankers, insurers and other business representatives continue to complain that the new rules are too vague and cumbersome. Tech companies are pushing for preemptive national privacy legislation in Congress.
And the author of the Consumer Privacy Act, San Francisco real estate developer Alastair Mactaggart, has drafted a companion initiative for the 2020 ballot that would further restrict data-collecting companies and create a state privacy enforcement agency. Mactaggart did not attend Monday’s hearing.
Although only a dozen people spoke at the Sacramento meeting, several themes emerged.
1. Businesses want model forms and notices
The Privacy Act requires companies collecting data to make a number of disclosures to consumers, including how they can opt out of the sale of their personal information and what categories of data the companies are collecting. These notices, according to the rules, must be “easy to read and understandable to an average consumer.”
“This is subjective and does not contemplate a method or metric to ensure readability,” Mark Vinella, vice president of compliance and risk management and risk management at Travis Credit Union, said Monday.
Vinella asked the Attorney General’s Office, which is drafting the Privacy Act regulations, to consider producing sample forms that companies can use to comply with the law.
2. Businesses don’t want do-not-track computer settings or privacy settings to be treated as a blanket consumer opt-out.
“We think there are technical problems” with that provision of the regulations, said Mike Belote, a Sacramento lobbyist representing the Civil Justice Association of California. “The systems are just not there yet.”
Heather Smith, a manager at a Sacramento advertising agency, called the proposed regulation “a significant new obligation that was not included in the CCPA and could undermine consumer choice.”
Smith suggested the rule be altered to allow data-collectors not to honor the browser plugin or other do-not-track mechanisms if they already offer consumers a method for opting out of the sale of their data.
3. Data-holders say the proposed regs add too many requirements
Anthony Stark, general counsel to business database compiler ZoomInfo, pointed to language mandating that companies treat consumers’ “deficient” requests to delete their data as if it had been submitted correctly. Companies can also choose to tell consumers how to correct the errors on their requests. “This adds an extra level of uncertainty and costs,” Stark said.
He also noted provisions requiring companies to describe to consumers how they verify requests to delete their data and when they should expect a response to a deletion request. “I think this goes beyond the CCPA,” he said.
The hearing format did not allow the attorney general’s representatives, including privacy unit leader Stacey Schesser and special assistant Eleanor Blume, to immediately respond to the criticisms and suggestions. Additional hearings will be held in Los Angeles on Tuesday, in San Francisco on Wednesday and in Fresno on Thursday as part of the rule-making process. Written comments can also be submitted through Friday.
The attorney general will consider the comments as his deputies draft the final regulations, which are expected to go into effect July 1.
Related: