I added yet another section to the Privacy Policy and Your California Privacy Rights pages containing a summary of CCPA requests I received in the previous calendar year. You can find the table in the “California Privacy Request Metrics (Record-Keeping Disclosures)” subsections of those pages. (Both versions of the table are identical; the Your California Privacy Rights page is intended as essentially a California-specific excerpt of the Privacy Policy.) Some additional considerations below the cut:
I don’t THINK I’m technically required to disclose those metrics (the threshold for the regulatory requirement is buying, receiving for commercial purposes, selling, or sharing for commercial purposes personal information from 10 million or more consumers in a calendar year, and it would take some truly outlandish interpretation of the law’s definitions for me to come anywhere near that), but the extremely ominous warning email from the attorney general’s office put me in a “better safe than sorry” mood. (To be clear, it was a mass email not individually directed at me — I am, unhappily, on their CCPA mailing list — but it triggers a panic attack every single time.)
Figuring out how to calculate and present these metrics was challenging. The totals are not a big deal, but the disclosure requirements demand that you disclose the “median or mean” time it took you to “substantively” respond to each type of request, a term that the regulations don’t attempt to define. There are also some puzzling stipulations on distinguishing requests from “consumers” from requests from “all individuals”; I belatedly figured out that “consumers” probably means “California residents,” since the CCPA defines all natural persons who reside in California as “consumers.” (I can’t tell you how much I hate that.)
As with many aspects of these regulations, the disclosure requirements include a series of demands that are, as often as not, framed in ways that are not nearly as clear or understandable (to say nothing of practical) as the people who wrote the regulations seem to have thought. (For instance, I know that “mean” and “median” are not the same thing, but I’m not at all sure the attorney general’s office does.) Given that the potential consequences for even an accidental violation of any of the regulations to which they decide I’m subject are ruinously expensive, that is far from comforting.
Going through this much work and worry for a website for which I have created no new content in some time is really quite agonizing, so if you are annoyed by these updates, join the club!
(ETA: I originally called the applicable subsection “CCPA Request Metrics (Record-Keeping Disclosures)”; I renamed it to “California Privacy Request Metrics (Record-Keeping Disclosures)” on October 3, 2021, thinking that name might be a bit less opaque.)
I admire your tenacity, transparency and good will in responding to the law. You are a model of what the Attorney General’s Office should want.
Does any of the correspondence from the AG have contact information so that you can ask clarifying questions? If not, are there state-level lobbying groups that could try to get clearer answers for you?
The current AG, Rob Bonta, is a recent appointee who will need to run for election in 2022. He has apparently never run a state-wide race before, so he should be on doubly good behavior. Bonta also presents himself as a reformer, so I would hope that his staff would get with the program and be responsive to stakeholder calls for greater clarity.
Well, aside from not wanting to put myself on their radar any more than I have by the public comments I’ve made on the regulations, the problem now is that there’s a newly constituted agency that will be responsible for privacy enforcement, or will shortly become so. This also means there will likely be yet more asinine and frustrating regulations written by a completely different set of people, possibly with divergent interpretations of the law and existing regulations, which is really not an encouraging or appetizing thought in any respect. Half the problem with the current regulations is that the people who wrote them obviously thought the intent and intended scope were much clearer than they actually are, and focused less on clarity than on taking a punitive tone. The consequence is that the regulations contain lots of absolute statements that make their ambiguities and troubling, possibly unintended implications into really high-stakes issues. Having a different set of people doing the same thing in different, potentially contradictory ways is going to make it worse.
The bitter irony of the whole business is that laws that were inspired by the obvious and ongoing bad faith of the tech industry has been framed and structured in ways that give big companies in general and big tech companies in particular huge structural advantages in terms of compliance, while clearly impeding their bad-faith business model not at all. For example, Facebook has no reason to be troubled by the California regulations’ draconian limits on response times to requests — they have whole compliance departments to handle what requests their system doesn’t just automate on demand — but it means that a self-employed person like me could be subjected to life-ending fines for daring to be out of email communication for more than a couple of days at a time, even if it’s because I’m in the hospital.
I guess it’s just as well that I’m philosophically opposed to camping.
Your website is a treasure for automotive enthusiasts, Aaron. Know that your time and effort is appreciated.
I enjoy reading your articles. You research your topics conscientiously, and you also approach these arcane rules with the same level of scrutiny. I am sorry that all of these regulations are so burdensome (and probably unnecessary.).