The California Consumer Privacy Act goes into effect January 1st, and it doesn’t look like anyone, even the state of California itself, is totally ready. Draft regulations for enforcing the law are still being finalized at the state level, and questions about specific aspects of the most sweeping privacy regulation since the European Union’s General Data Protection Regulation (GDPR) are still not clear.
“If you thought the GDPR was bumpy, the CCPA is going to be a real roller coaster,” Reece Hirsch tells The Verge. Hirsch is co-head of Morgan Lewis’ privacy and cybersecurity practice and has been advising clients on how to adapt to the new law. “This is a complex set of new rules, which are still a work in progress.”
The crux of the CCPA is this: if your company buys or sells data on at least 50,000 California residents each year, you have to disclose to those residents what you’re doing with the data, and, they can request you not sell it. Consumers can also request companies bound by the CCPA delete all their personal data. And as The Wall Street Journal reported, websites with third-party tracking are supposed to add a “Do Not Sell My Personal Information” button that if clicked, prohibits the site from sending data about the customer to any third parties, including advertisers.
Despite the handwringing ahead of its deadline last year, the official adoption of GDPR went as smoothly as could be expected. Facebook and Google are already facing billion-dollar lawsuits over alleged violations of the GDPR, but it will be years before those suits are closed. Until that time, small companies will have only a muddled sense of how they might be vulnerable to the rule, and compliance continues to be something of a puzzle.
But the CCPA is likely to be an even greater compliance challenge. It’s the first sweeping legislation in the US to give consumers control over how their personal information is used online, and may signal how other states will seek to protect their residents’ privacy, Hirsch says.
He’s advising clients not only update their privacy policies, but to also create processes for retaining copies of any personal information collected about consumers. Hirsch is also advising companies determine who will respond to and handle consumers’ requests for information and the deletion of that information.
California Attorney General Xavier Becerra said earlier this month that even though widespread enforcement of the CCPA isn’t likely until July, companies should not view the first six months of the year as a grace period. “We’re going to try to help folks understand our interpretation of the law,” Becerra said last week, as quoted by the San Francisco Chronicle. “And once we’ve done those things, our job is to make sure there’s compliance, so we’ll enforce.”
James Steyer, CEO of children’s privacy advocacy organization Common Sense, says he thinks most companies are making good-faith efforts to get in compliance with the CCPA. Microsoft announced last month that it plans to implement the provisions of the CCPA not just in California, but for all its customers, too.
Facebook looks to be taking a different approach toward CCPA, emphasizing that “we do not sell people’s data,” according to a December blog post. Facebook says already has tools to allow users to access and delete their information, wherever they live. The service has a CCPA page where California residents can request information about any of its products — WhatsApp, Instagram, Portal, Messenger Kids, and Facebook itself. As a result, Facebook sees itself as largely already complying with CCPA.
Steyer takes issue with Facebook’s stance, since, as he says, the company’s business model is based on collecting and monetizing its users’ data. California should be keeping tabs on how companies collect and use their customers’ data, not just whether they sell that data, he adds.
“As has unfortunately become the custom, Facebook is the single biggest outlier,” Steyer says. “Becerra is going to have to focus on holding companies like Facebook to account.”
Facebook declined to comment further.
Hirsch says it’s not entirely clear what California is using as its definition of a “sale” of consumer information. Another issue: How is a company going to ensure it is deleting the right customer’s data without collecting more information to verify them?
“The broad definition of ‘sale’ is a pain point for a lot of companies because it potentially includes sharing information for online advertising,” Hirsch says. Service provider agreements are another area where companies will have to take a close look at their practices; an agreement with a subcontractor or vendor should carefully spell out how any personal information is used or shared, Hirsch added.
Most large tech companies, Steyer says, view the CCPA as being in their long-term interests because it will create more trust among consumers. But with its slew of privacy gaffes over the past few years, it’s puzzling why Facebook wouldn’t seize an opportunity to improve its privacy track record.
“This is a landmark moment, it’s the first major comprehensive privacy legislation passed in the U.S. since Zuckerberg was in kindergarten,” Steyer says. “But Facebook is trying to find ways to get around the law.”