CCPA Is Officially Being Enforced, but There Are Still Unanswered Questions

A ballot initiative in November could add more to the law

a gray handprint with purple splattered across it
Though CCPA is fully enforceable, there still is uncertainty over what constitutes as a sale. Pixabay, Getty Images
Headshot of Andrew Blustein

Key insights:

Enforcement of the California Consumer Privacy Act (CCPA) officially begins July 1, but unclear guidelines and upcoming ballot initiatives can make complying with the law difficult.

The law, which went into effect Jan. 1, gives internet users in California the right to request businesses to not sell, and even delete, their personal information. But there are still questions around what counts as selling information and which party manages opt outs.

CCPA defines a sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration,” according to the California Legislature’s website.

Gray areas

Jessica Lee, a partner at law firm Loeb and Loeb, said that definition doesn’t provide enough clarity for the industry.

“There are some activities that are clearly sales, and then there are a lot of activities that fall in the gray area. And there’s no industry alignment with respect to what exactly is a sale or when a sale occurs,” Lee said.

There’s also concern over whether the web browser or device can create a universal opt out, said Aaron Tantleff, a partner at Foley and Lardner. Companies must give consumers the option to opt out of their data being sold, but there could be a conflict if the hosting browser or device gives the same option.

“Does that mean that a company has to comply with that because it’s the setting on the browser or the device? … Or do they only need to comply when a user specifically says to that company, via the web link they’ve created or some other mechanism, ‘Do not sell’?” Tantleff said.

The general consensus in the industry is that enforcement will provide clarification of these ambiguities. Under CCPA, companies are given a 30-day cure period to rectify their behavior if they are found to be noncompliant.

Differing interpretations

Daniel Sepulveda, svp of policy and advocacy of MediaMath, said the demand-side platform registered as a data broker and that it’s taking a “conservative view” to the law.

“There are companies that operate much in the same way we do who do not consider themselves data brokers. But again, I think that’s all going to work itself out as enforcement moves into place, and then that’ll signal downstream,” Sepulveda said.

California Attorney General Xavier Becerra will likely prioritize enforcing companies that sell or handle children’s data or other “egregious violators,” said Lee, who expects to see some action take place before the end of the year.

“I imagine that the attorney general would be motivated to at least have some initial action and some initial enforcement that I imagine could come potentially as early as the fall,” said Lee.

Further complications to come?

CCPA as we know it may also change by November. The California Privacy Rights Act (CPRA) is a ballot initiative, which is expected to pass, that would expand upon CCPA and create an enforcement agency.

For example, CPRA would expand the definition of a business to an entity that buys, sells or shares the personal information of 100,000 or more consumers or households. The previous threshold was 50,000, so the change will likely help small businesses.

Under CCPA, consumers have the right to know what specific pieces of information a company has collected them over a 12-month period. CPRA would extend that period to any time so long as it takes “proportionate effort,” said Tantleff.

CPRA would also establish the California Privacy Protection Agency, a separately funded group that would enforce the proposed ballot initiative.

“It really gives a bill a lot more teeth,” said Lee, referring to the agency. “CCPA itself has teeth but this really, I think, will ratchet up the amount of enforcement that takes place.”

Giving consumers the right to have companies delete their data means ad-tech companies have less information to build user profiles and other targeting products. And, as Sepulveda pointed out, independent actions of device makers like Apple are adding to these regulatory challenges.

“You just have to be nimble, prepared and aware of what’s coming and meet the needs of your clients to succeed in that environment—whatever it is,” he added.

NexTech, July 27-30, 2020 Don't miss Adweek NexTech, live this week, to explore privacy, data, attribution and the benchmarks that matter. Register for free and tune in.

Andrew Blustein is a programmatic reporter at Adweek.
Publish date: June 30, 2020 © 2020 Adweek, LLC. - All Rights Reserved and NOT FOR REPRINT