What Big Law, Tech Leaders Say About California's New Data-Privacy Law
We've culled through more than 1,000 pages of comments to spotlight what Apple, Google and a few Big Law firms are saying about the CCPA.
April 19, 2019 at 06:00 PM
7 minute read
Attorney General Xavier Becerra invited the public to share thoughts on what should be included in upcoming regulations enacting the California Consumer Privacy Act, the landmark law also known as the CCPA that gives consumers power over what personal data businesses can collect about them.
More than 1,300 pages of written pleas were submitted for more restrictive language and demands that the law, set to take effect in 2020, be applied as broadly as possible. The Attorney General's Office is now reviewing those comments and expects to issue proposed regulations in the fall.
Here are some snippets of comments submitted by lawyers and tech leaders.
>> A team from Loeb & Loeb, representing midsized and large companies interacting with California consumers, urged state leaders to clarify the CCPA's applicability to workplace relationships: “Because an employer/employee relationship is fundamentally different from that of a business/consumer, the CCPA is likely to adversely affect an employer's routine business operations, and, in some instances, it may be administratively impossible for an employer to determine which records may be subject to such CCPA requirements and which are excluded … raising obstacles to implementation and privacy concerns.”
Loeb & Loeb suggested limiting what information a person can seek about other household members: “The attorney general should clarify that no individual consumer has the right to request access to, or deletion of, the personal information of any other individual consumer, even if the other consumer is a member of the same 'household.' Only aggregate 'household information,' such as 'household income' or 'household utility use,' should be provided to an individual consumer in response to such a request.”
The law firm also offered this suggestion: Don't define the transfer of personal information in a financial transaction as a sale. “Financial institutions need to transfer personal information in connection with certain financial transactions such as the sale of a loan or loan portfolio, the sale of a credit card account or portfolio of accounts, securitizations and the servicing of any of the foregoing.”
>> Katie Kennedy, privacy and information security counsel at Apple Inc., urged California to change the definition of personal information: “We encourage the attorney general to support and encourage privacy-protective technologies and design choices, including by confirming that not all information that can be linked to a rotating or resettable device-generated identifier is necessarily 'personal information.'”
Kennedy added: “Linking identified consumers to data that was previously keyed to rotating or resettable device-generated identifiers solely for CCPA compliance purposes increases the risk that private information about the individual could be revealed in the event the data is subject to unauthorized access (e.g., a data breach).”
Kennedy also said the state should not require the use of government IDs, such as drivers licenses, to verify the identity of those who want access to their data. “While there are many considerations to address in the verification process, we encourage the attorney general to ensure that the verification requirements will not obligate businesses to collect sensitive information unnecessarily or displace existing reasonably secure verification mechanisms,” she said.
More from Kennedy's comment: “Today, countless popular services allow consumers to use a username and password to access online accounts that contain sensitive information (e.g., banking, email, medical services). As a result, it would be reasonable to treat CCPA requests made through an account that a user has previously established with the business as being verified, provided that the business maintains reasonable account security procedures.”
>> Alan Friel, a Baker & Hostetler partner, filed a comment on behalf of “businesses of all sizes, and in most industries, directly affected by the California Consumer Privacy Act (CCPA).” Friel said businesses should be given broad flexibility to verify the identities of people seeking access to personal information collected about them. “To the extent the regulations require collection of additional personal information to verify a requesting party's identity or residency, the regulations should provide that the business may maintain that information for record keeping,” he wrote.
Friel's comment said “businesses should be provided a safe harbor from any liability that might arise out of following such regulations”—for instance, “claims by a data subject that was impersonated by a party that was able to meet the verification standards of the regulations.”
The state should keep the provisions allowing the attorney general to provide guidance to businesses and a 30-day window to address violations, Friel wrote. “Such regulations guiding the opinion and notice of cure obligations of the AG further the purpose of the title by prioritizing compliance (i.e., “fix it”) over punishment (i.e., “gotcha”), especially as to businesses that can be shown to have acted in good faith.”
>> Mayer Brown partner Philip Recht, representing “a variety of companies that provide background report, e-commerce fraud detection, and other people search services,” urged California to tighten up the definition of personal information that “is capable of being associated with” a consumer. “The AG's regulations should make clear that PI includes only data that is 'reasonably' capable of being associated with a particular consumer,” Recht wrote.
“Without further guidance, businesses seeking to avoid claims of non-compliance may err on the side of over-disclosing, providing a requesting consumer with data concerning all others with shared names, addresses and other attributes, even in the absence of information indicating any reasonable link between that data and the consumer,” Recht said in his comment.
Recht also suggested expanding and clarifying the definition of personal information available from government records—information that is not subject to the CCPA's disclosure, deletion and opt-out requirements.
>> Cynthia Pantazis, director of policy and state affairs at Google, said in her comment that California should more closely align the CCPA's data-deletion requirements with those of the European Union General Data Protection Regulation.
“Rather than provide for a balancing test to carefully weigh a user's deletion request against a business's legitimate grounds for retaining data, the CCPA delineates a number of ambiguous exclusions that businesses can rely upon when denying such a request,” Pantazis wrote. “We believe these exclusions—as well as the contours of the deletion framework more generally—would benefit from greater clarity and guidance, such as on the scope of information subject to the deletion right.”
Pantazis also said the state should restrict the reach of the prohibition against sales of a consumer's data. “The definition of 'sale' under the CCPA, however, is vague and subject to a number of critical ambiguities that could render it untethered from both the common meaning of that term and the risks that can flow from the actual sale of personal information.”
California's regulatory guidance “should clarify that the CCPA's definition of 'sale' is aligned with common understandings of that term, namely where a business directly exchanges personal information for monetary compensation, and excludes circumstances where data is transferred not for monetary or other direct value, but in order to facilitate the basic operation of a website or other commonly used product or service.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAmazon's Audible Hit With Privacy Class Action Over Use of Tracking Pixels
SAG-AFTRA Union Health Plan Slammed With Data Breach Class Actions in Wake of Phishing Attack
Pre/Dicta Expands Litigation Analytics Platform to California, Its First Venture Into State Courts
3 minute readTrending Stories
- 1Senate Confirms Last 2 of Biden's California Judicial Nominees
- 2Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 3Tom Girardi to Surrender to Federal Authorities on Jan. 7
- 4Husch Blackwell, Foley Among Law Firms Opening Southeast Offices This Year
- 5In Lawsuit, Ex-Google Employee Says Company’s Layoffs Targeted Parents and Others on Leave
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250