We know not what the California Consumer Privacy Act (CCPA) will finally look like when it goes into effect January 1, 2020, but we do know that Silicon Valley heavyweights applied great pressure to revise it, there’s an industry solution for do-not-sell requests, and unfortunately, most US businesses are overwhelmingly unprepared for its debut.
Right now, we’re in the final stretch for any amendments to CCPA that have made the cut to be voted upon by the Legislature prior to heading to the Governor’s desk for signature and the attorney general publishing his proposed regulations for public comment in the coming weeks.
Some of the CCPA amendments to still be voted upon include:
- A bill that would require businesses to provide two methods for consumers to submit requests for information. (A business that operates solely online, would only be required to provide an email address for CCPA requests.)
- A bill that restricts how personal info collected through loyalty programs can be sold.
- A bill that streamlines the definition of “publicly available” and amends the definition of “personal information.”
- A bill that creates a one-year exemption with regard to “personal information” for some B2B communications or transactions
Most of these amendments add much-needed clarity to a law that riddled businesses with far too many questions. But like it or not, it’s still coming.
The Strong Arm Of Silicon Valley
Intent on revising CCPA, tech behemoths like Google and Facebook have steadily lobbied their interests to California lawmakers intent on revising the law. Silicon Valley trade group, The Internet Association, representing companies like the duopoly and Amazon, spent roughly $176,000 lobbying the California legislature in just the last quarter alone. The organization has also been credited with running misleading ads on Facebook and Twitter appealing to California residents to keep the internet free.
Like GDPR, CCPA hits ad tech pretty hard, as the sharing of personal information across the ad ecosystem enables targeting advertising to personal behaviors and interests. Google has already been fined $57 million under GDPR by the French data protection authority for not properly disclosing to users how data is collected across its services.
Some consumer advocates argue that data tracking is of little to no benefit to publishers, so it’s in a publisher’s interest to put their users first. In this regard, recent privacy regulations and the move toward a cookieless future have prompted a return of semantic contextual targeting.
As of now, California lawmakers have strongly held their ground advocating on behalf of consumer privacy rights.
Digital Advertising Do-Not-Sell Solution
On another note, the digital advertising industry is moving toward a policy and technical solution for honoring consumer’s do-not-sell requests as it impacts the sharing of behavioral data for the purposes of interest-based advertising. As it’s written, CCPA calls for businesses to provide a “Do Not Sell My Data” button prominently on their sites.
The details on exactly how this solution will work are still being finalized, but are expected to be ready by the time CCPA goes into effect.
Is Anybody Even Ready For CCPA?
eMarketer reports that only 8% of US businesses say they are ready for CCPA, according to research conducted by PossibleNow, a consent solutions provider. While many surveyed reported to being in prep mode, only a third expected they would even meet the deadline. Of the 11% who said they wouldn’t be compliant, a little more than a third cited expense as an obstacle while others are opting for the “wait and see” approach. Another 17% feel their businesses are too small to face fines. The PossibleNow numbers closely match another survey conducted by the International Association of Privacy Professionals in March.
But if you have customers in California, have an annual gross revenue of more than $25 million, receive, share or sell personal information of more than 50,000 individuals and earns 50% or more of your annual revenue from selling consumer’s personal information, then wait-and-see won’t work for you even if you’re thinking that complying might take up too many resources.
California Isn’t the Only State With a Privacy Law Coming Soon
CCPA steals all the headlines, but there are other states with privacy laws going into effect really soon and many are drawing from the California blueprint. One to watch is Nevada’s do-not-sell law which goes into effect October 1, 2020. Other states, like Maine and Pennsylvania, also have privacy laws dropping soon.