Editor’s Note: While this piece is directed at publishers, CCPA also will be something marketers will have to be compliant with, just like GDPR.
Have you recovered from last spring’s GDPR adrenaline rush yet? Everybody in publishing was nervous about finding the right way to comply with new European privacy regulations. It did not seem like there was one clear path to compliance.
As much anxiety as GDPR regulations provoked, that may soon look like the good old days. At least in the EU, 27 countries came together with one edict. They also spent the time necessary to be smart and coherent, whether or not you agree with all the details.
Now California passed a privacy initiative you will be expected to follow starting Jan. 1, 2020. In many industries as goes California law, so go U.S. standards. This will be, in practice, a new national standard. California is too dominant a market, larger than most countries on the globe. Add to that a quirk in the drafting of the law, which says you must treat anyone who has left California and intends to return as a Californian. What?
Newly minted California Governor Gavin Newsom hailed the “first-in-the-nation digital privacy law” in his first State of the State address, according to reporting by Wendy Davis in MediaPost. “Companies that make … billions of dollars collecting, curating, monetizing our personal data also have a duty to protect in. Consumers have the right to know and control how their data is being used.”
CCPA Is Not Like GDPR
“The California law was written in five days, and really shows,” says Christopher Mohr, VP of intellectual property and general counsel at SIIA. “It is an extraordinarily complicated and poorly written statute.” Adding insult to injury, it is grammatically inconsistent and difficult to understand. I can’t imagine what compelled them to rush such important legislation through. It sounds irresponsible when you consider the EU worked on GDPR for more than three years.
“This is not the same as GDPR — it’s much broader.” Not a statement the already GDPR-fearing publishing industry wants to hear. Mohr continues, “In GDPR the information is tied to a data subject, for example, an individual. The CCPA covers ‘households’ as well as individuals. In addition, the CCPA’s potential ban on the use of information extends not only to the information but to the ‘inferences’ you might draw from it.” Inferences? Yikes! The law goes on to explain what is meant, but the idea of inferring conclusions sounds ripe for misinterpretation to me.
The main goal of the law is to regulate the collection and sale of personally-identifiable (PI) consumer data to third parties and service providers. You do not need to get paid for the data. If you disclose it to another party, it is considered a transaction. Using outside vendors to help manage your data is not a problem, because you are the controlling party.
Everyone will now have the “right to delete.” I asked Mohr to confirm that means deleting people from your database, not from your articles. “That’s the intent, I think. Whether the words match the intent is a completely different issue, and it’s not as clear as it could be. Personal information covers any information that could be associated with an individual.”
Anyone can tell you to cease disclosing their data to others; and you must comply. You cannot deny goods or services to anyone because of their data opt-out. That becomes the new Catch-22: In order to know you are not supposed to have data on an individual, you must have that individual in your database. And since it is likely you must have data on an individual in order to do business with him or her, how do you conduct business with data exceptions? For those rare European GDPR complainants, admittedly some American publishers will simply delete; good-bye. In the Hotel California, “you can check out any time you like, but you can never leave.”
Preventing a Privacy Tower of Babel
Fortunately, enforcement is by state attorney general, not by individuals. In other words, thank God this is not an invitation to everyone in California to sue. Of course this law will be challenged in court. It may be too vague, according to some. It may be discriminatory, since non-profits (and government agencies) can ignore it and do what they want, the way it is written.
Living in this hyper-intrusive world, it’s hard to disagree with the intent of CCPA since we are all being personally data mined. But play this out. Imagine what mischief the other 49 states can do. Davis reports, Washington state “lawmakers are considering a bill that would not only give consumers the right to learn what data is collected about them, but would also allow them to prevent their personal data to be used for ad targeting.”
Federal legislation is coming on this after the recent grillings on Capitol Hill of some of the leading big-tech luminaries. Typically federal legislation trumps local law, which is what makes interstate commerce work. Hopefully there will be one law of the land, so any company handling data can maintain sanity versus bowing to every state, city, or county passing a law. But in these Alice in Wonderland times we are in, I will leave that speculation to you.
You have complied with GDPR so that means you now have DPO (data protection officer). The CCPA gives your DPO a little more to do.
I’m no lawyer, so I’ll provide the usual disclaimer on all the above. On the other hand, I am a member of and advocate for the Specialized Information Publishers Association, part of SIIA, whose general counsel Chris Mohr was invaluable in enabling me to share an understanding of this law. I believe it makes great sense to occasionally be involved with your peers and work on common problems like privacy laws. As a member of SIPA or Connectiv, you won’t need to call your lawyer every time there is a question about the new privacy landscape. You can take advantage of knowledgeable experts in your corner.
Do I have you pining for the muddy clarity of GDPR yet?