CCPA Is Confusing AF

How did you celebrate Data Privacy Day on Jan. 28? Did you re-read all the preparation guidance from before GDPR came into law on May 25 and see what was actually useful? Did you try to access your available data from Facebook or Google? Did you huddle in a corner and worry about how complying with the California Consumer Privacy Act (CCPA) is going to kill your revenue efforts?

Digital media is looking forward to another year of impending doom as a fresh piece of confounding privacy regulation hangs over the space. The CCPA, which will affect any company that touches the data of at least 50,000 Californians a year, is in the middle of a statewide hearing tour at the moment, and the cracks are increasingly showing in the reportedly hastily assembled piece of regulation (typos are reportedly rampant and legislative patches continue to be written).

You could be experiencing déjà vu of when the European Commission took its own sweet time releasing regulatory guidance for GDPR and made any and everyone who touches consumer data from the European Union sweat heartily beforehand. While the law goes into effect on Jan. 1, 2020, the California Attorney General actually has until July 1, 2020 to implement regulations regarding some aspects of the law. Still, that seems far too close for comfort considering digital media companies’ basic concerns with the law.

Adding to a chorus of anxious business voices was a joint letter from the IAB, 4A’s, AAF, ANA, and NAI (aka, the Fearful Five or the Questioning Quintet) requesting clarification on issues such as whether a selective opt-out system from specific data collection was OK or if blanket opt-out was the only way.

At a public forum in Sacramento on Feb. 5, other business groups bemoaned the lack of clarity about what personal data falls under the law, whether de-identified data must be “re-identified” when a consumer requests it, and even whether the de-identification threshold was actually possible to meet. There are real worries that the law’s prohibition of discrimination against opting-out consumers threatens loyalty programs big and small, which by nature reward those who opt in.

Surely some out there are praying for clemency in the form of a lawsuit striking the law unconstitutional or that slight chance of superseding federal regulation that simply codifies industry current self-regulation. But let’s not kid ourselves—CCPA becomes a bit more real every day, and waiting for guidance is not an option.

Frankly, we’re still figuring out GDPR six months after it came alive, desperately deciphering meaning from every reported violation—and the latest was a big fish that offered some insight. The joke long-whispered around the industry was that GDPR was specifically written to nail Facebook and/or Google—the latter was hooked, but the €50 million fine seemed quite a pittance considering the billions Google brings in every quarter thanks to data-driven advertising.

Thing is, GDPR did hand-deliver us a blueprint for managing an opt-in consent program. As we suggested in our recent playbook “Aligning Regulatory Compliance and User Experience,” offering opt-in consent for data tracking is not only likely to become the law of the land, it’s a UX best practice.

Complying with GDPR offers a foundation that can be built on as the privacy laws mount—as well as evolve, which certainly seems to be the case with GDPR and CCPA. Even Google appears to be modifying its data services (for better or worse) to prepare for more GDPR-like privacy regulation around the world.

It’s time to stop lamenting GDPR, and instead use it to prepare for future compliance—and as a way to respect your users.