Marketing trade associations ask CA attorney general to ‘clarify’ CCPA provisions

Five major advertising trade groups are asking California Attorney General Xavier Becerra to “clarify” the California Consumer Privacy Act (CCPA) “through rulemaking to provide improved consumer protection and guidance to business.” Absent pre-emption by federal legislation, the CCPA is set to become the default data privacy law of the United States when it goes into effect on January 1, 2020, so the industry groups — the 4As, the AAF, the ANA, the IAB and the NAI — sent a letter looking for guidance.

In some ways CCPA is less strict than GDPR and in other respects it provides consumer rights that GDPR does not.

Seeking to reduce compliance burdens. The CCPA was passed to head off a 2018 California ballot initiative that would have been even stricter. The trade groups have asked for changes in the law, essentially to reduce the burdens of compliance and the potential exposure for marketers, retailers and brands.

Among other things, CCPA mandates that consumers be given the ability to prevent their personal data from being sold or distributed to third parties. (Deidentified information — “that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer” — is not subject to CCPA’s requirements.) In addition, companies subject to the law will have the burden of disclosing information being collected about individual consumers. It also provides penalties for non-compliance and gives affected individuals the right to sue.

Specific changes requested. None of this sits well with many brands and marketers (nor with the U.S. Chamber of Commerce) and it threatens current operating procedures of the digital data ecosystem. The letter (embedded below) specifically asks for the following changes and clarifications (emphasis in original):

• Section 1798.115(d) of the CCPA prohibits a company from selling consumer personal information that it did not receive directly from the consumer unless the consumer has received “explicit notice” and is provided an opportunity to exercise the right to opt out of that sale. We urge the AG to recognize that a written assurance of CCPA compliance is sufficient and reasonable.
• Sections 1798.105 and 1798.120 of the CCPA allow consumers entirely to opt out of the sale of their data or delete their data; but the law does not explicitly permit a business to offer a consumer the choice to delete or opt out regarding some, but not all, of their data. We request that the AG clarify that businesses may offer reasonable options to consumers to choose the types of “sales” they want to opt out of, the types of data they want deleted, or to completely opt out—and not have to just provide an all-or-nothing option.
• Section 1798.110(c) of the CCPA arguably requires a business’ privacy policy to disclose to a consumer the specific pieces of personal information the business has collected about that consumer. We ask the AG to clarify that a business does not need to create individualized privacy policies for each consumer to comply with the law.

These are not unreasonable requests. In particular, the group is proposing that consumers and companies be given more options around consent to the use of personal data. It implies the ability to offer incentives to consumers in exchange for use of their data. The trade group letter says, “without clarification and adjustments, these and other ambiguities in the law could result in reduced choice and privacy for consumers, rather than expanding it, as the law intended.”

Why you should care. CCPA could bring about major disruption in the way that affected companies collect and use consumer data. Depending on how it’s implemented and how consumers react, third parties in the data ecosystem could see their business models threatened. Google and Facebook are less likely to be impacted because they don’t rely on third party data for targeting and attribution.

Consumers are more inclined to allow first party data uses but more reluctant to allow their data to be distributed to third parties. However, the notion that consumers be given more options (for example, discounts for use of their data) rather than CCPA’s current binary yes/no scenario is worthy of consideration.