As the beginning of enforcement of the California Consumer Privacy Act (CCPA) gets closer, the leading nonprofit trade association representing the insights industry pleaded for greater clarity from the state Attorney General about the CCPA rules and a delay in their enforcement.

The Insights Association filed comments with the California Attorney General Xavier Becerra on March 23, 2020, responding to the third draft of regulations to implement CCPA. CCPA came into effect on January 1, 2020. Enforcement begins July 1, which emphasizes the importance of finalizing these regulations, but IA regrets that there were only a handful of changes in the 3rd draft (released on March 11), one of which in particular, on IP addresses, only confused CCPA compliance matters more.

Moreover, the need to delay enforcement "has been heightened exponentially due to the ongoing coronavirus pandemic," the Insights Association told the AG, echoing concerns relayed in a recent joint industry letter of which IA was a part.

The Insights Association continued: "In many cases right now, businesses are struggling to implement CCPA compliance measures while working remotely. Furthermore, the costs of compliance must also now be balanced against the crushing macroeconomic impacts of the virus, including a looming recession. This delay would give businesses the bare minimum time to analyze the final regulations and respond accordingly and responsibly."

Regarding the details of the regulations, the AG deleted its own prior clarification of when IP addresses would be considered personal information under CCPA. In the 2nd draft, the AG reiterated the definition of “personal information” and clarified that IP addresses which could not reasonably be linked to a particular consumer or household would not be personal information. This section was deleted from the March 11 draft. IA toled the AG "that this addition and subsequent deletion create unnecessary confusion, and we request that you clarify your office’s position. It is obviously critical for businesses to understand, as well as possible, the contours of CCPA’s 'personal information' definition. As you’re no doubt aware, IP addresses in particular have been a much-discussed and somewhat controversial aspect of 'personal information' definitions in other privacy laws. Following these most recent edits, your office’s position on IP addresses is especially unclear."

In addition to pressing for clarity on IP addresses, IA reiterated concern that the AG's office: Treat notice via telephone differently and at least allow for a short-form option;  Loosen restriction on passing through costs of verification to accommodate special circumstances; Expand the email-only option for all requests, and apply to all relationships with consumers that are “exclusively online"; Broaden financial incentive disclosure guidance to contemplate situations where additional, non-monetary consideration is given in exchange for personal information; Clarify the meaning of “reasonably expect” and “just in time” in the mobile notice requirements; and Delay enforcement of CCPA regulations.

IA had also commented on the first and second drafts of CCPA regulations from the Attorney General.

Most of the Insights Association’s members will be covered by CCPA, whether or not they're located in California, which is why IA has focused on advocacy to improve the law and regulations in California and on CCPA compliance resources for IA members.

Read the pdf of the Insights Association's comments to the AG, or the full text below:

Dear Attorney General Becerra,

The Insights Association (IA) submits the following comments regarding the proposed regulations implementing the California Consumer Privacy Act (CCPA) (Cal. Civ. Code, § 1798.100 et seq.), particularly the third draft of the regulations circulated by your office on March 11, 2020.[1]

As previously indicated in comments submitted on December 6, 2019[2] and February 25, 2020[3] regarding the first two drafts of CCPA regulations, both of which are attached hereto (attachments #1 and #2, IA is the leading nonprofit trade association for the marketing research and data analytics industry and represents more than 545 individual and company members in California, with more than 5,500 members in total. Virtually all of these members will fall within the jurisdiction of the CCPA due to the fact that personal information of California residents is collected and transmitted for legitimate purpose by marketing research and data analytics companies and organizations in most instances. Since CCPA will have a profound impact on our industry, we appreciate the opportunity to submit additional recommendations on the latest draft of CCPA regulations.

After explaining who we are and what marketing research is, these comments will cover seven main points

IA’s members include both marketing research and data analytics companies and organizations, as well as the research and analytics professionals and departments inside of non-research companies and organizations. They are the world’s leading producers of intelligence, analytics and insights defining the needs, attitudes and behaviors of consumers, organizations, employees, students and citizens. With that essential understanding, leaders can make intelligent decisions and deploy strategies and tactics to build trust, inspire innovation, realize the full potential of individuals and teams, and successfully create and promote products, services and ideas.

What is “marketing research”? Marketing research is the collection, use, maintenance, or transfer of personal information as reasonably necessary to investigate the market for or marketing of products, services, or ideas, where the information is not otherwise used, without affirmative express consent, to further contact any particular individual, or to advertise or market to any particular individual.

An older definition of marketing research, used in California S.B. 756 in 2017, was “the collection and analysis of data regarding opinions, needs, awareness, knowledge, views, experiences and behaviors of a population, through the development and administration of surveys, interviews, focus groups, polls, observation, or other research methodologies, in which no sales, promotional or marketing efforts are involved and through which there is no attempt to influence a participant’s attitudes or behavior.”

1. Clarify the significance of deleting § 999.302 for defining personal information.

In the February 10 edits, your office added § 999.302 to the regulations, which reiterated that CCPA’s “personal information” definition “depends on whether the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’” The section went on to clarify that IP addresses which could not reasonably be linked to a particular consumer or household would not be personal information. This section was deleted from the March 11 draft.

We respectfully submit that this addition and subsequent deletion create unnecessary confusion, and we request that you clarify your office’s position. It is obviously critical for businesses to understand, as well as possible, the contours of CCPA’s “personal information” definition. As you’re no doubt aware, IP addresses in particular have been a much-discussed and somewhat controversial aspect of “personal information” definitions in other privacy laws. Following these most recent edits, your office’s position on IP addresses is especially unclear.

2. Treat notice via telephone differently and at least allow for a short-form option.

The February 10 edits to the regulations clarify in § 999.305(a)(3)(d) that, “[w]hen a business collects personal information over the telephone or in person, it may provide the [collection] notice orally,” but as we explained previously, the notices required to be read over the phone might often include not just collection notices, but also opt-out notices and financial incentive notices. Such a lengthy “preamble” to a phone call would be disastrous to research conducted over the phone.

Response rates for U.S. telephone surveys are lucky to reach ten (10) percent and adding an extended notice to the front-end of all calls will crater already low response rates. It would likely prove impossible to find respondents willing to sit through such a preamble before finally being given an opportunity to provide their input for a public opinion or political poll or in response to a government-sponsored survey, for example.

Therefore, we again urgently request that the CCPA regulations allow for a short-form collection and opt-out notice for telephone interactions. For example, a short-form notice might, in simple straightforward terms: (i) alert the consumer that personal information will be collected; (ii) alert consumers of their right to opt out; and (iii) direct users to a privacy policy (likely online) where more information can be found or provide them the opportunity to give their email address and receive it via email.

Such a short-form notice would, by shortening the amount of “legalese” confronting consumers, better serve the goals of the CCPA without unnecessarily inhibiting legitimate research.

3. Loosen restriction on passing through costs of verification to accommodate special circumstances.

While the draft regulations prohibit businesses in § 999.233(d) from “requir[ing] the consumer or the consumer’s authorized agent to pay a fee for the verification of their request to know or request to delete,” the Insights Association’s reservations remain.

In cases of death, for example, this provision may unnecessarily increase costs for businesses when dealing with executors, relatives or loved ones who are making requests under CCPA on behalf of the deceased, where such dealings regularly require the provision of a notarized death certificate and executor short form. Limitations need to be set in certain circumstances on the pass-through of verification costs, in order to avoid an undue burden on businesses. To review our previous comments on this issue,[4] please see attached.

4. Expand the email-only option for all requests, and apply to all relationships with consumers that are “exclusively online.”

The CCPA draft regulations stipulate in § 999.312(a) that “[a] business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to know.” IA once again urges expanding this email-only option to all requests, not just requests to know, and generally expanded to all relationships between consumers and businesses that are exclusively online, even if the businesses in question operate separately in a non-online context. To review our previous comments on this issue,[5] please see attached.

5. Broaden financial incentive disclosure guidance to contemplate situations where additional, non-monetary consideration is given in exchange for personal information.

The Insights Association also must reiterate that the financial incentive “value” calculation imposes an unrealistic and poorly-suited requirement in situations where financial incentives are not being given in a simple quid pro quo for personal information. A person choosing to participate in research is subject to a more complicated mix of motivations or “consideration” someone participating in a typical company loyalty program and the final CCPA regulations should reflect this reality. To review our previous comments on this issue,[6] please see attached.

6. Clarify the meaning of “reasonably expect” and “just in time” in the mobile notice requirements.

IA respectfully requests that your office further clarify the meaning of “reasonably expect” and “just in time” in § 999.305(a)(4). To review our previous comments on this issue,[7] please see attached.

7. Delay enforcement of CCPA regulations.

The Insights Association previously urged that enforcement be delayed a further six months, until January 1, 2021, given the absence of lag time between the release of final CCPA regulations and the onset of CCPA enforcement this summer. The need for delay has been heightened exponentially due to the ongoing coronavirus pandemic. This was also stressed by a March 20, 2020 letter IA sent with 65 other organizations requesting forbearance.[8]

In many cases right now, businesses are struggling to implement CCPA compliance measures while working remotely. Furthermore, the costs of compliance must also now be balanced against the crushing macroeconomic impacts of the virus, including a looming recession. This delay would give businesses the bare minimum time to analyze the final regulations and respond accordingly and responsibly.

Conclusion

The Insights Association hopes the above comments will be useful to you and your staff as you finalize the CCPA regulations. We look forward to answering any questions you may have about the marketing research and data analytics industry and working with you and your office in furtherance of consumer privacy in California and the concomitant clarity on CCPA compliance.