New Data Economy - Key Industry Themes
The Californian Consumer Privacy Act (CCPA) came into effect on January 1, 2020. California’s Office of the Attorney General was entrusted to prepare Regulations which would provide for more clarity on how individuals can implement their data privacy rights and shed more light on how businesses should comply with consumer requests.
On October 11, 2019, California’s OAG released the initial proposal for the CCPA Regulations and invited interested parties to submit their comments on the proposed Regulations.
During the 45 day period, several hundred comments have been received from various stakeholders in the market. Prifina team was both enthused and surprised by the attention that the CCPA public comment period received and the engagement from the industry. Prifina undertook the effort to categorize and organize the CCPA comment submitted by various stakeholders into a more comprehensive format.
Here is a graph that summarizes Prifina’s initial study of the comments submitted to the Office of the Attorney General and some of the common themes that concern different stakeholders in data privacy space.
On October 11, 2019, California’s OAG released the initial proposal for the CCPA Regulations and invited interested parties to submit their comments on the proposed Regulations.
During the 45 day period, several hundred comments have been received from various stakeholders in the market. Prifina team was both enthused and surprised by the attention that the CCPA public comment period received and the engagement from the industry. Prifina undertook the effort to categorize and organize the CCPA comment submitted by various stakeholders into a more comprehensive format.
Here is a graph that summarizes Prifina’s initial study of the comments submitted to the Office of the Attorney General and some of the common themes that concern different stakeholders in data privacy space.
| Main Themes in New Data Economy - Visualization 2020 |
Comparative Study of CCPA Comments
Considering the number of the comments submitted as well as the sophistication of insights provided therein, Prifina saw this as an opportunity to harness that information into a more structured, industry representative format. Therefore, Prifina undertook the effort to categorize and organize the CCPA comment submitted by various stakeholders into a more comprehensive format.
In this letter, we will briefly explain our methodology for aggregating the public comments, provide a brief overview of our findings and offer some discussion points of what may be beneficial focal points for the industry going forward.
The data set, methodology and related findings, as well as further updates, will be made publicly available. You can find more material, including the full data set, on the Liberty. Equality. Data. Open Slack #research channel.
In this letter, we will briefly explain our methodology for aggregating the public comments, provide a brief overview of our findings and offer some discussion points of what may be beneficial focal points for the industry going forward.
The data set, methodology and related findings, as well as further updates, will be made publicly available. You can find more material, including the full data set, on the Liberty. Equality. Data. Open Slack #research channel.
Data Collected - Open Record
|
Data collected following the methodology can be found in the Liberty. Equality. Data. Open Slack #research channel as an open spreadsheet available to be read. Comments and inquiries can be sent to [email protected] All data collected is public record from the CCPA public hearing and comment process available on the California Attorney Generals website. |
Methodology
Methodology During the first comment period, the Office of the Attorney General received hundreds of written and oral comments regarding the proposed text of the CCPA Regulations. The Prifina team reviewed those submitted comments and categorized them using the following taxonomy.
First, the following stakeholder groups became clear.
First, the following stakeholder groups became clear.
It should be noted that the number of written responses submitted by certain stakeholder groups does not directly represent the scale or number of organizations, entities or individuals whose interests may be represented. For instance, given the implications which newly adopted CCPA and Regulations have on certain industries, it was important to distinguish publishing and advertising and marketing industries into separate categories of stakeholders. More specifically, there were 11 comments submitted by the representatives of the publishing industry. Although these 11 comments constitute on 4% of the overall responses received, those comments were submitted by organizations that represent 80-90% of news, audio-visual and digital content the publishing industry (both large and small corporations) which power multi-billion dollar industries in California. It is important to bear in mind this consideration.
The following sections provide some insights and recommendations for the Department of Justice in further drafting the Regulations and taking further steps to implement the CCPA.
Based on the comments submitted by 262 stakeholders and the issues raised, this comment highlights ten major domains which have attracted the most attention from the stakeholders in their comments. We tried to summarize those ten main domains in the “Data Privacy Infographics” (see below). Each of the ten domains contain a number of themes. An In depth investigation of the comments submitted by 262 stakeholders helped identify which themes are more important to different stakeholders.
The data collected could be especially useful for multiple purposes.
The following sections provide some insights and recommendations for the Department of Justice in further drafting the Regulations and taking further steps to implement the CCPA.
Based on the comments submitted by 262 stakeholders and the issues raised, this comment highlights ten major domains which have attracted the most attention from the stakeholders in their comments. We tried to summarize those ten main domains in the “Data Privacy Infographics” (see below). Each of the ten domains contain a number of themes. An In depth investigation of the comments submitted by 262 stakeholders helped identify which themes are more important to different stakeholders.
The data collected could be especially useful for multiple purposes.
- First, the data could improve the regulatory framework: namely, the necessary amendments to the CCPA, finalizing the text of the Regulations, and considering future regulatory actions.
- Second, stakeholder comments help better understand the underlying technological foundations that are closely intertwined with the exercise of data privacy rights, the need to search for universal technological standards (most notably, open-source standards for data portability). Given such dependence on technological solutions in collecting and managing data, the legal framework has to be designed using unconventional approaches. Differently from other areas of regulation, the CCPA should offer opportunities for bottom-up solutions (e.g., compliance toolkits, templates for notices, possible recommended technological solutions for businesses to execute consumer requests, reduce compliance costs, and eliminate “privacy fatigue”).
A comprehensive study of the submitted comments, feedback and recommendations submitted by various stakeholders revealed that different groups share similar concerns. For instance, credit unions and smaller financial institutions are mostly concerned with the fact that they are under-resourced to cope with the requirements imposed by the CCPA; fear that due to the complexity of data privacy they will not be able to timely comply with all of the requirements of the CCPA and therefore request to extend the effective date of the Regulations. Credit unions and financial institutions are navigating a complex regulatory environment and need more guidance on how their new obligations imposed by the CCPA should be aligned with the existing regulatory requirements (e.g., under the Gramm-Leach-Bliley Act, etc.). Furthermore, comments submitted by credit unions and financial institutions brought to daylight the desire from the finance industry to have template notices and privacy policies.
Although the discussion around data privacy is still nascent and the full effects of the CCPA remain to be seen, we can identify some commonalities from the themes raised by the stakeholders. We see there are three overarching themes within the comments that can be highlighted, namely: data portability, transparency around how data (explicit consent), and the balanced use of data.
Look Beyond Compliance
Prifina has seen that following the implementation of the General Data Protection Regulation in 2018 in Europe, many businesses and stakeholders created solutions that were not only focused on compliance with such regulation but rather how such a regulation allowed them to create more thriving businesses and consumer value. We anticipate similar development in California, where businesses will be forced to create better value for their customers based on the new regulations and will not only comply but end up delivering better service. Given the emphasis on compliance and risk-management, we believe it would be valuable to showcase and give a forum for companies creating new solutions upon this new paradigm, where new regulations can also be seen as an opportunity to drive more consumer value.
Data Portability
Prifina believes data portability is a fundamental aspect that the market should address to give individuals more control, visibility and ultimately value from their own data. However, new types of tools are necessary to ascertain that personal data is used in a balanced way that does not become a race to the bottom, where individuals have sold all rights to their data for short term utility. This is why Prifina has proposed a set of Personal Data Licenses, where individuals would be able to attach certain rights and restrictions, akin to the CCPA’s ‘do not sell my data’ language. This framework has been released to the public and Prifina will be advocating for bringing these rights closer to the individual, where the individual has more of a say in how an individual’s personal data is used. Prifina has also released related open source developer tools to build applications on top of this framework.
User-Held Data and Privacy Framework
Industry and a large portion of stakeholder comment submissions have raised several issues such as the complexity of compliance, notices to consumers and technical challenges associated with new privacy provisions, which relate to the consumer experience regarding the provision of services and products. The main concern is that the experience of going through notices, and disclosures would result in an onerous, hard to understand and complicated experience that would dampen and damage the consumer experience overall.
Prifina has co-authored a proposal for Personal Data Use Licenses (Jurcys, Donewald, Globocnik & Lampinen, Note, My Data, My Terms: A Proposal for Personal Data Use Licenses, Harv. J.L & Tech. Dig. (2020), https://jolt.law.harvard.edu/digest/my-data-my-terms.), which outlines a model where individuals can be presented with a set of standardized icons and language, which would correspond to enforcement of their rights under the CCPA and other regulations as relevant. We believe an open standard model for how right and privileges could easily be communicated can be a solution for the perceived complexity in implementing an optimal consumer experience in line with various new privacy regulations requirements.
