VE
CTORM
IN
E/S
HUTT
ERSTOC
K.
CO
M
regwatch
ATTORNEYS WHO HAVE TO GUIDE COMPANIES
through the California Consumer Privacy
Act would like clarification sooner than
later on the proposed regulations the
state’s attorney general set out last year.
In October, California Attorney General Xavier Becerra released 24 pages of
draft regulations concerning the CCPA
that will be finalized by July 1, 2020, at
the latest. The date is significant because
Becerra has said that his office will not
begin enforcing the law until then.
“For the most part we are assuming
that the proposed regulations will be
implemented as they were initially
drafted,” Michelle Hon Donovan, a
partner at Duane Morris in San Diego,
said.
She said there is no clarity on some of
the definitions, and businesses will need
to be given direction in order to comply
with the law, which came into effect on
Jan. 1. One of those includes a definition
of personal information.
“A business shall not provide a consumer with specific pieces of personal
information if the disclosure creates a
substantial, articulable, and unreasonable risk to the security of that personal
information, the consumer’s account
with the business, or the security of the
business’s systems or networks,” the proposed rule says.
“That language is unclear and can be
interpreted very broadly,” Hon Donovan
said.
Jean-Marc Chanoine, global head of
strategic accounts and legal counsel at
Templafy in New York, said while there is
a grace period now, the California Office
of Attorney General will ultimately be
going after companies for minute procedures in which the language on how to
comply is vague.
For example, if someone requests
what information a company has on
them, a company may need to collect
more information on that person to verify they are not a bad actor trying to steal
information. There are questions, Chanoine said, on whether that is allowed
and how long a company can retain that
additional information.
“Anyone can request information on
data that is being collected on them,”
Chanoine said. “That data could be
used by bad actors. How are companies
supposed to know what is a legitimate
request?”
Chanoine said while the attorney
general is not aiming to punish compa-
nies that are trying to do the right thing,
the attorney general still has not defined
which efforts would show good faith and
which would not.
Chanoine would like to see some
kind of protection for companies from
frivolous class action lawsuits. One of the
most notable changes to the CCPA is that
consumers now only have a private right
of action for a data breach. If the suit is
successful, consumers who have their data
exposed in a breach can be given any-
where from $100 to $750.
“What is the attorney general doing
to make sure there are not abuses in class
action lawsuits?” Chanoine asked. “Let’s
make sure we’re protecting consumers
and companies and not causing more
harm than good.”
The timing is what is largely concern-
ing to clients, said Jim Halpert, a partner
at DLA Piper in Washington, D.C. He
said some of these changes would take a
while because there is no technology to
handle some of the proposed require-
ments. One involves having “do not
sell” notices that could be sent through a
browser signal, Halpert explained.
“There is not the technology to do this
and it is unclear how, beginning on July 1,
businesses would be able to comply with
that,” Halpert explained. “The CCPA has
been a moving target and the regulations
include some new ideas which are a little
difficult for entities to comply with.”
ATTORNEYS WANT CLARIFICATION ON THE CCPA
BY DAN CLARK