BPI Comments on Proposed Modifications to California Consumer Privacy Act

The Bank Policy Institute (BPI)[1] appreciates the opportunity to submit comments to the California Privacy Protection Agency on the Modified Proposed Regulations implementing the California Consumer Privacy Act, as amended by the California Privacy Rights Act [2]

I. Executive Summary

BPI’s members are financial institutions that have invested significant time and resources into building data protection and information security compliance systems that align with federal and state financial privacy laws. BPI members are committed to promoting robust privacy protections for California consumers.
Drawing on the experience of its members operationalizing privacy and security safeguards for their customers, BPI previously submitted comments on the initial Proposed Regulations implementing the CCPA.[3] Many of these comments relate to three key themes:

  • First, the regulations should embody standards that are sufficiently flexible to enable businesses to promote consumer privacy effectively. Consumers are not always served by lengthy and technical disclosures or overly prescriptive requirements.
  • Second, the regulations must operate within the parameters established by the legislature and California voters.
  • Third, the regulations should recognize the critical role of other federal and state privacy and consumer protection frameworks in protecting consumers.

We commend the Agency for amendments it made it to the Modified Proposed Regulations in service of these goals, although, as discussed further below, we urge the Agency to go further and address recommended changes that have not yet been addressed.

Today, BPI emphasizes a small number of technical corrections and clarifications that are necessary to avoid seemingly unintended consequences. In addition, BPI is writing to urge the Agency to delay enforcement as it relates to employee and business-to-business (“B2B”) personal information. The Agency should not enforce general consumer data protection rules in the employment and B2B contexts without careful consideration of their impact and analysis of employment laws, existing commercial contracts, and other legal frameworks. Finally, BPI also reiterates its prior comments, including by urging the Agency to move away from highly prescriptive requirements for contracts with service providers and third parties.

II. Additional Technical Corrections and Clarifications Are Necessary

In this Section, we identify several technical corrections and clarifications that are “low-hanging fruit” for the Agency to remedy. It is not clear that the Agency intends the harmful implications described below, and, in any event, these corrections are important to serve the statutory goals of “strengthening consumer privacy, while giving attention to the impact on business and innovation.”[4]

a. Notice at Collection – Modified Proposed Regulations § 7012(f)

Section 7012(f) requires a business that collects personal information online to provide the notice at collection by providing a “link that takes the consumer directly to the specific section of the business’s privacy policy that contains the information required in subsection (e)(1) through (6).” The section continues by stating that directing the consumer to the beginning of the privacy policy, or to any other section without the required information, will not satisfy the notice at collection requirement.

This requirement is overly prescriptive, burdensome, and impracticable, particularly for financial institutions that are managing disclosures to consumers that comply not only with a constellation of general privacy laws, but also federal and state financial privacy laws. While some businesses rely on an online privacy policy to provide a notice at collection, other businesses elect to link within their online privacy policy or a privacy center page to a California-specific notice to address the required disclosures. So long as businesses ensure that consumers have ready access to the relevant information, businesses should have the flexibility to deliver information to consumers based on the clearest presentation to the users.

Detailed prescriptions on the layering and organization of content within privacy notices are not necessary given that the Modified Proposed Regulations elsewhere address requirements to ensure that notices are provided conspicuously, see § 7003, and to ensure that consumers understand the choices available to them, see § 7004. Further, this level of prescription raises constitutional and administrative legal questions by burdening the ability of businesses to use a single interface to interact with users across states without directing non-California consumers directly to a California-specific privacy notice. Generalizing this requirement would permit businesses greater latitude to communicate effectively with consumers, both Californians and non-Californians alike.

We recommend deleting this provision or, in the alternative, making edits to remove the requirement to link directly to the specific section of the privacy policy that contains the required terms. Proposed language can be found in Appendix A to this letter.

b. Third Party Contracts – Modified Proposed Regulations § 7052(a)

We commend the Agency on edits that it has made to Sections 7052 and 7053, which bring the regulations closer to alignment with the statutory requirements for third parties, although, as described below, we continue to have concerns with some of the elements of the Modified Proposed Regulations. We also think that minor, clarifying edits are necessary for the new Section 7052(a), which reads that, “[a] third party that does not have a contract that complies with section 7053, subsection (a), shall not collect, use, process, retain, sell, or share the personal information that the business made available to it.”

At best, this is not drafted clearly. At worst, it seems to contemplate a contract between businesses and every third party—not just those to which personal information is sold or shared. Such a requirement is not consistent with the statutory design.[5] It also would limit consumers’ control over their personal information, as it would limit the disclosure of personal information by a business to a third party in circumstances in which a consumer directs the business to intentionally disclose the information. In such a case, the recipient would be prohibited from collecting the personal information made available to it.

We recommend amendments to clarify that the provision only applies to third parties to which personal information is sold or shared. Proposed language can be found in Appendix A to this letter.

c. Requests to Know – Modified Proposed Regulations § 7024(h)

We continue to have concerns about Section 7024(h) of the Modified Proposed Regulations, even after the Agency’s modifications. The section contemplates that businesses, in response to a request to know, will provide all personal information collected or maintained about the consumer on or after January 1, 2022, including beyond the 12-month period before the receipt of the request, unless the consumer requests data for a specific time period or doing so proves impossible or would involve disproportionate effort. In contrast, the plain language of the statute contemplates that businesses will provide information for a 12-month period unless consumers request additional information beyond the 12-month period. [6]

In its initial Explanation of Modified Text of Proposed Regulations, the Agency recognized the need to “conform the regulation to the language of Civil Code § 1798.130(a)(2)(B).” However, the Modified Proposed Regulations still do not address the 12-month look-back period in a manner consistent with the statutory text. To ensure consistency with the statute, the Proposed Rules should be clear that there is no requirement to provide information beyond the 12-month period unless the consumer specifically requests it.
We recommend amendments to conform with the statutory text by specifying that a business must provide information only for the 12-month period preceding the request, unless the consumer requests otherwise. Proposed language can be found in Appendix A to this letter, which mirrors the changes that we recommended in our letter dated August 23, 2022.

III. Enforcement Should Be Delayed For Employee and Business-to-Business Personal Information

As described below, the Agency should move forward with providing clearer guidance with respect to employee and B2B personal information. In the meantime, however, the Agency should clarify that the CCPA and its implementing regulations will not be enforced with respect to employee and B2B personal information.
The wholesale importation of general consumer protection principles to the employee and commercial context fails to account for important differences between a business’s relationship with traditional consumers, as compared to those with whom a business interacts in an employment or commercial context. Not only are expectations of privacy significantly different in the employment and commercial contexts, but these areas already are heavily regulated. Indeed, there are federal and state laws that reflect policy judgments about the rights that job applicants and employees should have to access their personnel records and similar personal information.[7]

Likewise, the CPRA should not be construed to displace or interfere with rights and obligations governed by commercial business relationships absent clear intent to do so. Yet, this would be the practical impact of the currently contemplated application of wholesale general consumer protection principles to the commercial context without clear guidance that accounts for important differences between a business’ relationships with its customers in these context.

For these reasons, we appreciate comments made during the October 28 and 29, 2022 Board meetings relating to the importance of the Agency providing clear guidance and exceptions for the employee and B2B contexts. When the Agency provides more specific guidance on these issues, BPI’s members are happy to work with the Agency to provide further comments about the application of the CPRA in these contexts. Among other important points, the Agency should ensure that its rules are consistent with other relevant legal frameworks and construe the “specific pieces” of personal information definition appropriately to exclude, for example, confidential business information and internal business records and communications.

To read the full comment letter, click here, or click on the download button below.

[1] The Bank Policy Institute is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost two million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.

[2] Cal. Civ. Code § 1798.100 et seq.

[3] See Letter from BPI to California Privacy Protection Agency, Re: Proposed Regulations Under the California Consumer Privacy Act (Aug. 23, 2022).

[4] The California Privacy Rights Act of 2020, Cal. Prop. 24 § 3(C)(1) (2020); see also Cal. Civ. Code § 1798.199.40(l) (instructing the Agency to “seek to balance the goals of strengthening consumer privacy while giving attention to the impact on businesses”).

[5] See Cal Civ. Code 1798.100(d) (contemplating contracts between businesses and third parties to which personal information is sold or shared).

[6] See Cal. Civ. Code § 1798.130(a)(2)(B) (“The disclosure of the required information shall cover the 12 month period preceding the business’s receipt of the verifiable consumer request, provided that, upon the adoption of a regulation pursuant to paragraph (9) of subdivision (a) of Section 1798.185, a consumer may request that the business disclose the required information beyond the 12 month period and the business shall be required to provide such information unless doing so proves impossible or would involve a disproportionate effort.”).

[7] See Cal. Lab. Code § 1198.5; Cal. Lab. Code § 226(b); Cal. Lab. Code § 432; Cal. Civ. Code § 1786 et seq.; and Cal. Civ. Code § 1786.53.