CBA Comment Letter re the California Consumer Privacy Act NPR
Dear Mr. Becerra:
The Consumer Bankers Association (“CBA” or “the Association”) appreciates the opportunity to offer our views on the California Attorney General’s (“the Attorney General” or “the AG”) Notice of Proposed Rulemaking (the “Proposed Rule” or the “Draft Regulations”) concerning California’s regulatory approach to the California Consumer Privacy Act (the “Act” or “the CCPA”).
CBA appreciates the Attorney General’s efforts to provide guidance to businesses on how to comply with the CCPA and to clarify the Act’s requirements through proposed regulations. Most importantly, CBA’s member banks share the Attorney General’s goal of protecting the privacy of consumers. However, we have significant concerns about the proposed regulations as drafted by the Attorney General. Below, we have identified our most pressing issues and offered the Attorney General solutions to consider in the next phase of the rule writing process.
I. The Attorney General’s Right to Opt-Out of Sale Guidance is Insufficient to Address Practical Business Concerns.
CBA urges the Attorney General to provide more certainty about the right to opt-out of sales of personal information. From a review of the draft regulations, it seems a bank, or any covered entity, may present the choice to opt-out of certain sales, so long as a global option to opt-out of the sale of all personal information is more prominently presented than other choices. Note, this option assumes a global option is feasible. From a practical perspective, it is likely a business may possess varying data elements about a single consumer through different relationships with the consumer, which may not be linked.
Moreover, the proposed regulations require a bank, or covered entity, which collects personal information from consumers online to “treat user-enabled privacy controls, such as browser plugin or privacy setting or another mechanism, which communicates or signal the consumer’s choice to opt-out of the sale as a valid request” to opt-out of sale of personal information “for that browser or device, or, if known, for that consumer.” This raises a number of operational complexities and issues since neither the statue nor the proposed regulations condition this opt-out method being a well-established or widely used standard to communicate requests to opt out of sale of personal information.
II. Provide Covered Entities with a Safe Harbor When Verifying Consumer Requests.
The CCPA establishes a series of rights which are contingent upon the receipt and authentication of a “verifiable consumer request.” In order to comply with a consumer’s request to exercise his or her rights under the CCPA, the “business shall promptly take steps to determine whether the request is a verifiable consumer request.”
CBA appreciates the Attorney General for providing helpful guidance related to verification requests. Generally, the proposed regulations direct banks to use a more rigorous verification process when dealing with more sensitive information. The proposed regulations also take it a step further by directing banks not to release sensitive information without being highly certain about the identity of the individual requesting the information. The proposed regulations also provide prescriptive steps of what to do in cases where an identity cannot be verified.
As the Attorney General is aware, banks collect personal information as part of routine transactions to facilitate consumer requests. Even with the proposed rules, furnishing personal information to customers purporting to exercise their rights under the CCPA, in response to a verifiable consumer request, may result in unintended risk and harm to the consumer, including misuse of personal information to perpetuate fraud and identity theft. As a potential solution, the Attorney General should establish a safe harbor from liability to assure banks, and other covered entities, that rejecting a suspicious right of access request in good faith will not later result in a violation.
Moreover, CBA implores the Attorney General to look to the implementation issues encountered by the General Data Protection Regulation (GDPR) in its next stage of rule writing. According to a study published by Blackhat USA 2019 (“the Study”), the Study demonstrates how legal ambiguity surrounding the “right of access” process may be used by social engineers to facilitate fraud. The Study’s experimental findings also demonstrate many organizations fail to adequately verify the originating identity of right of access requests. As a result, social engineers can abuse right of access requests as a scalable attack mechanism for acquiring deeply sensitive information about individuals.
