It’s August, which means that the California Consumer Privacy Act (CCPA) is officially in effect and enforceable.
However, there are still more questions than answers, and the chaos will likely continue for the next year or two. Jessica B. Lee, Partner, Co-Chair, Privacy, Security & Data Innovations at Loeb & Loeb LLP—where she focuses on emerging media, technology, advertising and promotions, privacy and intellectual property—outlines three important things you should be following to stay on top of the chaos in California’s Privacy Law.
(Be sure to sign up for AdMonsters Publisher Forum Virtual, where on Aug. 26, Lee will lead a discussion on the latest developments with the privacy law and its implications for digital media and advertising, as well as what we can expect in the future—featuring Farah Zaman, VP, Chief Privacy Officer, Meredith Corporation and Ashley Tan, Assistant General Counsel, Buzzfeed.)
Here are three things Lee says you need to know to stay on top of CCPA:
#1 – The Regulations are Final, but Still Not in Effect
The CCPA requires California’s Attorney General to issue regulations to clarify certain portions of the CCPA, including:
1) which categories of data are considered personal information;
2) how to define unique identifiers;
3) the requirements for notices given to consumers, and
4) how to provide and honor consumer rights requests.
Notably, clarifying the sale definition is not one of the items that the Attorney General has rulemaking authority over. We won’t have real clarity over which activities are “sales” until we start to see some meaningful enforcement.
After three rounds of modifications, which saw the regulations move from extremely restrictive and unfriendly, to more business-friendly, and back to somewhere in the middle, the California AG submitted the final regulations for approval on June 1st and requested an expedited review and immediate enforceability.
For companies waiting for final regulations, this timeline created a fairly short window to address a fairly robust set of requirements. The rush to regulation is puzzling.
While counterparts in the EU have recognized that we are in the middle of a global pandemic and that companies are struggling to retain their employees while addressing a health and financial crisis, the California AG has taken a business as usual approach. Fortunately, despite the AG’s request, the regulations still have not been approved or finalized as I write this article. The effective date for the regulations is up in the air. At least companies have had some time to get ready.
#2 – Responding to Global, Browser-Based Opt-out Signals is Now Required
One of the fundamental changes in the regulations is the introduction of an obligation for companies to honor “global browser-based opt-out signals.”
Consumers will be able to opt-out of the sale of their personal information across all websites using browser controls or plug-ins, rather than going site by site to opt-out. This creates several challenges.
First, some consumers may either opt-in or refrain from opting-out of sales on specific publisher sites because of their trusted relationship with that publisher (or because they are receiving a financial incentive). The browser-based opt-out may override that choice or force publishers to present yet another pop-up to the consumer asking them to opt-in or reminding them of their financial incentive election.
Second, it’s not clear how these tools will be designed—will they accurately characterize what a “sale” is and what it means to opt-out?
Most industry-professionals aren’t clear on what constitutes a “sale,” much less the average consumer. How will the consumer be empowered to make an informed choice? Or will the browser default to opt-out (similar to Apple’s ITP) and choose for them?
Third, while economics garners little sympathy from the privacy advocates, large scale opt-outs threaten the ad-supported internet. Consumers generally do not want to pay for content, but companies facing large-scale opt-outs may turn to paywalls, member-only-content, and other approaches to help support their sites.
There are currently no browser controls or plug-ins that meet the CCPA’s requirements, and to date, none of the major browsers have signaled whether or when they plan to launch such a tool. We should expect at least some browser plug-ins to launch with this capability within the year (if not sooner).
#3 – CPRA Approved for the November Ballot
As companies continue to work through the CCPA chaos, an amendment to the CCPA—the California Privacy Rights Act (CPRA)—is on its way to the November ballot in California.
The CPRA is a ballot initiative, which means that California voters can vote it into law without going through the legislative process. The CPRA amends the CCPA and closes some gaps.
Although the CCPA is considered a broad, sweeping privacy regulation, it is ultimately a law that focuses on restricting the transfer of personal information to third parties. The CCPA puts few restrictions on a company’s internal use of the personal information it collects. The CPRA, on the other hand, introduces GDPR-like principles that require companies to limit the amount and use of personal information collected.
Under the CPRA, consumers can also restrict companies’ use of “sensitive personal information” (e.g., health, geolocation, race, and biometrics), making it unavailable to build consumer profiles or understand consumer preferences.
These new restrictions are sure to impact business and the pace of innovation, which has moved rapidly in the U.S. partly due to the lack of GDPR-like regulations.
What Can You Do Now?
While the prospect of new rules may sound bleak, these changes present a unique opportunity to innovate. The companies that come out on the other side of this will do so not by sticking their heads in the sand, but by leaning into this new reality: consumers will have new rights, access to third party data will become more difficult, and we will need more transparency around profiling and targeting.
1) if you are a consumer-facing platform, educate your consumers about the value they receive in exchange for their data and work to regain or keep their trust;
2) identify new identity-resolution technologies that will last beyond the limits of third-party cookies;
3) test the technology and tools that will help you understand your consumers without having to track them;
4) adjust your business models to account for this new landscape, and
5) get a seat at the table with the industry groups working to prepare the online advertising ecosystem for the future.
This article is the third written in a series by Jessica B. Lee, Partner, Co-Chair, Privacy, Security & Data Innovations at Loeb & Loeb:
- California in Chaos: 3 Things You Need to Know to Stay on Top of CCPA
- The Value of Talking About the Value of Consumer Data
- The Trouble with Consumer Choice
Don’t forget to register for AdMonsters Publisher Forum Virtual, where on Aug. 26, Lee will lead a discussion on the latest developments with the privacy law and its implications for digital media and advertising, as well as what we can expect in the future—featuring Farah Zaman, VP, Chief Privacy Officer, Meredith Corporation and Ashley Tan, Assistant General Counsel, Buzzfeed.