Enforcement of the California Consumer Privacy Act (CCPA) officially begins today, but unclear guidelines and coming ballot initiatives can make complying to the law difficult.
The law, which went into effect on Jan. 1, gives internet users in California the right to request businesses to not sell, and even delete, their personal information. But there are still questions around what counts as a sale and which party manages opt outs.
CCPA defines a sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration,” according to the California Legislature’s website.
Jessica Lee, a partner at law firm Loeb and Loeb, said that definition doesn’t provide enough clarity for the industry.
“I think there are some activities that are clearly sales, and then I think there are a lot of activities that fall in the gray area. And there’s no industry alignment with respect to what exactly is a sale or when a sale occurs,” said Lee.
There’s also concern over whether the web browser or device can create a universal opt out, said Aaron Tantleff, partner at Foley and Lardner. Companies must give consumers the option to opt out of their data being sold, but there could be a conflict if the hosting browser or device gives the same option.
“Does that mean that a company has to comply with that because it’s the setting on the browser or the device? … Or do they only need to comply when a user specifically says to that company, via the web link they’ve created or some other mechanism, ‘Do not sell’?” said Tantleff.
The general consensus in the industry is that enforcement will provide clarification of these ambiguities. Under CCPA, companies are given a 30-day cure period to rectify their behavior if they are found to be noncompliant.
Daniel Sepulveda, svp of policy and advocacy of MediaMath, said the demand-side platform registered as a data broker and that it’s taking a “conservative view” to the law.
“There are companies that operate much in the same way we do who do not consider themselves data brokers. But again, I think that’s all going to work itself out as enforcement moves into place, and then that’ll signal downstream,” said Sepulveda.
California Attorney General Xavier Becerra will likely prioritize enforcing companies that sell or handle children’s data or other “egregious violators,” said Lee, who expects to see some action take place before the end of the year.
“I imagine that the attorney general would be motivated to at least have some initial action and some initial enforcement that I imagine could come potentially as early as the fall,” said Lee.
Further complications to come?
CCPA as we know it may also change by November. The California Privacy Rights Act (CPRA) is a ballot initiative, which is expected to pass, that would expand upon CCPA and create an enforcement agency.
For example, CPRA would expand the definition of a business to an entity that buys, sells or shares the personal information of 100,000 or more consumers or households. The previous threshold was 50,000 so the change will likely help small businesses.
Under CCPA, consumers have the right to know what specific pieces of information a company has collected them over a 12-month lookback period. CPRA would extend the lookback period beyond 12 months to any time so long as it takes “proportionate effort,” said Tantleff.
CPRA would also establish the California Privacy Protection Agency, a separately funded group that would enforce the proposed ballot initiative.