California Attorney General Xavier Becerra is hopeful lawmakers in Congress will craft a version of the state’s sweeping consumer data protection law, despite objections and requests for clarity from a number of advocacy groups who work on behalf of small and large businesses alike.
In a letter sent to the heads of four congressional committees on Wednesday, Becerra urged lawmakers to pass federal legislation that “builds on the rights afforded” to California residents through the state’s data protection law.
Passed last year, the California Consumer Privacy Act (CCPA) allows residents to demand businesses reveal the type of data collected about them and remove personal information that may be used in the course of business or sold to third parties. It also allows consumers the ability to request companies not sell their personal information.
The law applies to companies that have a gross annual revenue of $25 million or more; buy or sell the personal information of 50,000 or more customers in a year; obtain data from more than 50,000 devices in a year or derive 50 percent or more of their annual revenue from the sale of consumer information. Under the law, companies that do business in California have to provide consumers a way to opt-out of marketing initiatives involving their personal information through various means, including a link on their website that says “Do Not Sell My Personal Information.”
The CCPA took effect on January 1. Becerra said he expected companies to immediately comply with the law, but gave businesses an amnesty period of six month, promising the law wouldn’t be enforced by his office until July.
That relief period also allowed the attorney general’s office to review and respond to dozens of letters sent by businesses and trade organizations complaining about the consumer protection law and asking for greater clarity about how the law applied to them and how it would be enforced. The News Media Alliance, the California Association of Realtors and Apple were among those who filed letters with the attorney general’s office asking for greater clarity and, in some cases, a wholesale reworking of parts of the CCPA, according to hundreds of documents reviewed by California Globe.
In a letter sent January 6, financial data firm Refinitiv, the company formerly known as Thomson Reuters, expressed concern that the CCPA would make it impossible for services in the banking sector to properly screen customers and suppliers for risk associated with financial crimes. Refinitiv said these certain types of screenings are often mandated either by a supplier’s contract or by law, and some of them mirror objectives set by the California Department of Justice to combat terrorism, money laundering and other crimes.
Refinitiv said a requirement in the CCPA that the company contact directly contact consumers about data collection practices is untenable because some individuals and suppliers subject to screening do not have reliable contact information. Refinitiv also said the CCPA’s requirement that a company notify all third parties to whom it sold customer data about an opt-out request could force businesses to “breach existing contracts by limiting the rights granted (in them) with other third parties.”
Refinitiv asked Becerra’s office for an exemption allowing it and other financial companies to continue selling personal information “for the sole purpose of fighting financial crime” with no provision for a customer to opt-out of having their data collected.
In another letter, a consortium of advertiser trade groups took issue with the attorney general’s draft CCPA guidelines for business issued last October, saying a mandate that companies honor “do not track” requests sent by computer software went beyond the scope of the law.
The CCPA, they said, didn’t specify language that required website operators to honor “do not track” requests sent by computer software like browser plug-ins, and a similar online privacy measure debated in 2013 resulted in lawmakers striking similar language from the finalized version of the bill.
The trade group said if the attorney general insisted on forcing businesses to recognize “do not track” commands issued by computer software, companies should be allowed to ignore them if they offer a “Do Not Sell My Personal Information” link at the bottom of a website as the CCPA requires.
In a revised version of the draft guidelines published earlier this month, Becerra rejected both concerns, saying businesses needed to honor a consumer’s request to opt-out of having their personal information collected and sold, even if sent via computer software.
But Becerra did give Refinitiv and other financial companies who screen customers and suppliers for potential risk some relief: The revised guidelines said a company could refuse to honor a consumer’s request to review any personal data collected by the business if they were prohibited from doing so by existing law. The revision did not take into account whether companies like Refinitiv could exempt disclosure due to existing business contracts.
With the guidelines finalized and just a few months away from his office’s first enforcements on the matter, Becerra said he is now looking for a “federal partner with the tools and resources for vigorous enforcement of new consumer rights.”
“Congress should make clear in any legislative proposal that state attorneys general have parallel enforcement authority and that consumers also have the opportunity to protect their rights directly through a private right of action,” he wrote.
- Assemblywoman Jacqui Irwin Proposes Law to Authorize Withholding Autopsy Reports From Public Disclosure - February 28, 2020
- As AG Becerra Seeks Federal Recognition of Consumer Privacy Law, Companies Ask for Relief - February 26, 2020
- New Legislation Would Carve Out Additional Exemptions for Information from California Open Records Laws - February 24, 2020