SAN FRANCISCO (CN) - With a monumental privacy law set to take effect in just a few weeks, privacy advocates, corporate lawyers and representatives from trade groups and financial institutions flocked to a public hearing in San Francisco on Wednesday to voice the almost unanimous view that the California Consumer Privacy Act still needs some work.
Well-intentioned, but overly-broad and unclear seemed to be the consensus, while more specific concerns ran the gamut from ill-defined terms to the lack of guidance on opt-out notices to consumers.
The act will apply to businesses with annual revenues over $25 million, that buy, receive or sell information of 50,000 consumers or get 50% or more of their revenue from selling consumers’ data.
This means that as many as 500,000 companies must tweak or overhaul their privacy practices to conform with the law, which requires them to respond and maintain records of consumer requests to know what information has been collected on them and delete that information if asked, update their privacy notices to disclose their data collection practices to consumers and provide a “Do Not Sell My Info” link on their websites and mobile apps for consumers wishing to opt-out of having their information sold to third parties.
The law also puts the onus on businesses to notify all third parties to whom it has sold a customer’s information within 90 days of receiving an opt-out request from that person.
Among the more confounding aspects of the law, even for experts, are the definitions and relationships of “businesses," “service providers" and "third parties.” Barbara Lawler, the Chief Privacy and Data Ethics Officer for Looker, said her company had been working to map these relationships, but “even with a team of experts, advisers and peers, I’m not sure we’ve got it right. And I’m not sure a lot of other companies are either, even though they are actually trying."
She also challenged CCPA’s puzzlingly complex notice and privacy requirements. “Did you intend multiple separate notices that went into a privacy policy? Or a privacy policy that includes multiple notices? So many notices, so much nested linking. It’s almost like privacy notice 'Inception.'”
Other speakers asked that the law’s effective date be delayed by at least two years, to give financial institutions more time to understand and comply with its provisions.
“There is a lot of room for interpretation and ambiguity,” said Jason Mertz-Prickett, vice president of operations for Upward Credit Union, who asked that the CCPA go into effect on Jan. 1, 2022.
He also said the current statute provides little to no guidance on what right to opt-out notices and responses to consumer requests for information should look like.
“These notices and responses are required to be easily read and understandable by the average consumer. With no guidance on what that means or provided examples, methods or metrics to gauge these on, it makes it extremely difficult to develop these notices,” Mertz-Prickett said. “Samples or uniform notices would not only help not just small credit unions but all financial institutions.”