FPF Comments on the California Consumer Privacy Act (CCPA)

March 11, 2019

Stacey Gray

Senior Director for Artificial Intelligence

On Friday, the Future of Privacy Forum submitted comments to the Office of the California Attorney General (AG), Xavier Becerra.

Read FPF’s Full Comments (11-page letter)
See Attachment 1: Comparing Privacy Laws: GDPR vs. CCPA
See Attachment 2: A Visual Guide to Practical De-identification

In FPF’s outreach to the AG, we commended the office for its multi-faceted solicitation of feedback from diverse stakeholders and the public in recent months, including through public forums, testimony before the California Assembly, and requests for comments.

Specifically, we wrote to:

1. Commend the State of California for addressing important data protection rights, including transparency, access, deletion, and reasonable security, for personal information. California has long been a leader in data privacy, and in the last year has served as a legislative model for other states as well as sparking a serious national conversation regarding a federal privacy law. While FPF supports a strong, comprehensive, baseline federal privacy law, we believe that states that do advance legislation should do so in ways that provide consumers with comprehensive protections that are in line with the Fair Information Practice Principles (FIPPs) and take into account interoperability with the EU General Data Protection Regulation (GDPR).

2. Recommend that rule-making efforts recognize that data exists on a spectrum of identifiability. While some data is firmly linked to an individual or provably non-linkable to a person, significant amounts of data exist in a gray area — obfuscated but potentially linkable to an individual under some circumstances. We recommend that the AG take account of this spectrum of identifiability and provide incentives for companies to de-identify data using technical, legal, and administrative measures.

3. Encourage further analysis of the impact of CCPA on socially beneficial research by non-HIPAA entities. Although CCPA excludes health data regulated by the Health Insurance Portability and Accountability Act (HIPAA) and related laws, its provisions govern private companies that may choose to conduct socially beneficial research using non-HIPAA data, including: consumer wearable manufacturers; health-related mobile apps; and genetic testing companies. While these companies should surely be subject to data privacy rules, we recommend that the AG take a close look at specific areas where beneficial research can be enabled or facilitated, or where restrictive requirements may pose particular challenges for researchers.

4. Encourage the AG to establish guidelines for data subject access requests (DSARs) that are secure, practical, and meaningful for consumers. The right to access one’s personal information is a fundamental tenet of the FIPPs, as well as a central feature of privacy laws in the United States and around the world. At the same time, there are inherent risks for some businesses in complying with data subject access request (DSARs), and often a direct tension between access rights and other important privacy safeguards. Ultimately, access requests should be secure, practical for businesses, and meaningful for consumers.

5. Recommend greater clarity on the intersection of CCPA and existing student privacy laws governing education technology vendors. For the benefit of schools, administrators, and education technology (“edtech”) vendors, the AG should clarify key points of CCPA that are applicable to education and student privacy, including: edtech vendors’ CCPA obligations (if any) when they act solely on behalf of public schools or districts; the circumstances under which edtech vendors may be considered “service providers” under the law; and alternately, how edtech vendors may navigate compliance obligations of CCPA in line with federal laws governing student records and California’s existing student privacy laws.

We also attached a list of relevant resources, including FPF publications on a variety of commercial privacy topics that may be of interest to the AG. We hope that our comments and the associated resources will be helpful to the important, ongoing discussion regarding consumer privacy in the State of California.

Read FPF’s Full Comments (11-page letter)
Attachment 1: Comparing Privacy Laws: GDPR vs. CCPA
Attachment 2: A Visual Guide to Practical De-identification

Explore

Issues

authors

dates

Posts by Stacey

internet,security,and,a,personal,data,protection,concept.,protect,a

Do LLMs Contain Personal Information? California AB 1008 Highlights Evolving, Complex Techno-Legal Debate

the,front,of,the,us,supreme,court,in,washington,,dc,

Chevron Decision Will Impact Privacy and AI Regulations

FPF Comments to the DOJ on Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern

FPF Comments on the California Consumer Privacy Act (CCPA)

Explore

U.S. Legislative Trends in AI-Generated Content: 2024 and Beyond

Processing of Personal Data for AI Training in Brazil: Takeaways from ANPD’s Preliminary Decisions in the Meta Case

Do LLMs Contain Personal Information? California AB 1008 Highlights Evolving, Complex Techno-Legal Debate

Future of Privacy Forum Convenes Over 200 State Lawmakers in AI Policy Working Group Focused on 2025 Legislative Sessions

Synthetic Content: Exploring the Risks, Technical Approaches, and Regulatory Responses

Out, Not Outed: Privacy for Sexual Health, Orientations, and Gender Identities

FPF Analysis of New Requirements for Generative AI Use by Healthcare Entities in Patient Communications

FPF Submits Comments to Inform New York Children’s Privacy Rulemaking Processes

Regulatory Strategies of Data Protection Authorities in the Asia-Pacific Region: 2024, and Beyond