The California Consumer Protection Act doesn’t go into effect until 2020, but that doesn’t mean the 10,000-word law—passed in just five days last summer—won’t be a big issue this year.
Last month, the California attorney general’s office—which is in charge of creating rules for the CCPA—began holding a series of hearings to gather feedback that will continue through February in cities across the state. Trade groups including the Association of National Advertisers and the Interactive Advertising Bureau have submitted testimony about how they think the new regulation will hinder operations. They’re also urging state lawmakers to consider changing or clarifying terms, rules and exemptions.
Dan Jaffe, group evp for government relations at the ANA, said the law in its current form could put some brands’ rewards programs at risk because it might be hard to give equal incentives to people who opt into sharing data and those who opt out. Jaffe said requiring companies to create “massive data pools” for responding to consumers’ requests for their personal information might become tempting targets for hackers.
“It’s just like talking about the fundamental piece of the body and act[ing] like you can just discuss it and change it dramatically without talking about the others,” he said.
According to results of the law firm Baker McKenzie’s recent study about various types of compliance, 68 percent of companies in the technology, media and telecom sector said they’ve had compliance breaches uncovered by a regulator—that’s more than any other sector, according to the firm.
But compliance isn’t necessarily a burden to growth. William Devaney, co-chair of the law firm’s global compliance and investigations group, said connecting compliance across a company can lead to growth because of increased communication and investments across departments.
“The managers at every level of an organization have it ingrained in them that the company is going to behave in a compliant manner,” Devaney said.
Big Tech isn’t the only group concerned. Shannon McCracken, CEO of The Nonprofit Alliance—an advocacy group whose members include AARP, the American Heart Association and the Nature Conservancy—said the CCPA has an exemption for nonprofits, but not for the data providers some organizations rely on for fundraising, disaster relief and other uses.
“Nonprofits use data to reach beneficiaries, to figure out how to most benefit programs, to figure out where the need is greatest, and to measure our impact in the world,” McCracken said.
Privacy advocates are also looking for changes of a different sort. For example, the Electronic Frontier Foundation wants some parts of the law strengthened, including requiring a way for consumers to sue companies for mishandling data rather than relying on the AG’s office. The EFF also wants consumers to opt in to tracking rather than asking to opt out.
“The consumer has no idea who these companies are, and if they want to know, there is no way to find out until you have the registry of data brokers,” said Adam Schwartz, a senior staff attorney at EFF.
That doesn’t mean U.S. companies should wait until next year to get their data compliance processes in place. And being compliant with the European Union’s General Data Protection Regulation doesn’t mean being compliant for CCPA. Jeff Sovern, a professor of law at St. John’s University, said businesses will have to change their website by Jan. 1 to create a way for consumers to ask for their data or opt out of having it collected. He added that consumers will also be able to ask for data from as far as a year back.
But all the worrying and planning might be moot if—and it’s definitely an if—Congress decides to pass a privacy law of its own this year. Already, Sen. Marco Rubio (R-Fla.) has introduced legislation that would preempt all state laws, while other lawmakers are expected to introduce their own bills this spring.
“There has definitely been a microscope mixed with a heat lamp on data privacy,” said Dave Grimaldi, evp for public policy at the IAB.