CCPA Goes Further

Looking at the latest Data Security updates from California

Data security has been an evolving conversation in the advertising/media space since the 2016 adoption of GDPR in the EU. While the US has yet to adopt a similar national measure, individual states have taken up the cause to varying degrees. California’s aggressive legislation led the way surrounding consumer data security/privacy with their adoption of the California Consumer Protection Act (CCPA) in 2018. Though adopted in 2018, the law didn’t go into effect until January 2020 and was not slated to be enforced until July 1 of this year.

While the enforcement period for CCPA has barely technically started, Californians are already fighting for stronger protections as it relates to their data security. The California Privacy Rights Act (CPRA) is currently slated to be on the California ballot this November. With these new developments, there are questions around necessity, what’s the difference between the two acts and when will companies be impacted from a compliance standpoint.

First up – why is this necessary?

The answer has a few angles to it, all rooted in CCPA.

  • CCPA originally was supposed to be a ballot initiative – similar to the route CPRA is currently going – but legislators opted to take it off the ballot and to pass the law themselves so they could amend pieces of the legislation. Many organizations have felt by allowing legislators to amend the law and pass it in this way, it actually diminished the protections originally intended and left a lot of things unclear – including how it was going to be enforced, who will be executing the enforcement and how is personal data defined.
  • With CCPA’s passing, it left the California Attorney General’s office responsible for enforcing the law by default. AG enforcement has proved challenging as they were not able to provide a final draft of the rules they would use to enforce CCPA until June 2 – less than 30 days before the enforcement period went into effect. As of the writing of this article on July 17, this final draft is still sitting with the Office of Administrative Law for the state of California with no timeline as to when approval will happen.
  • Most legislators are not experts at media, data security, targeting – really anything related to the monetization or usage of data for business purposes and the vernacular/verbiage surrounding those area. Because of this, as the legislation was considered, edits were made that ultimately resulted in the details and parameters of the law being unclear to those who work within the fields it’s meant to regulate.

Next – what’s the difference between CCPA and CPRA?

The easiest way to “position” these two pieces of legislation is that CPRA is an addendum to CCPA with the ultimate goals of helping make CCPA clearer and more enforceable. The new act has a total of 31 sections and covers some 53 pages in order to address these goals. These are a few of the things that stood out most:

  • First – it more clearly defines personal information and limits the use of “sensitive personal information.” Personal information is a landmine-type phrase as it means different things to the average consumer compared to businesses. CCPA uses the phrase to encompass all data, but CPRA has created a sub-category that they’re hoping will make the general consumer (read voter) more comfortable.
  • When consumers read “personal information,” they interpret it as everything from race and ethnicity, sexual orientation, biometric data, GPS coordinate location and beyond even going so far as log-in credentials. To businesses, the “personal information” they care about might be a couple of those things (GPS location for instance) but really the information they care about aligns with items like device ID or device type. Most consumers don’t care about Device ID so CPRA created the sub-category “sensitive personal information” which will separate device-type information from consumer lifestyle-type information. This will allow consumers to better understand what information companies may be collecting about them and opt-out should they be uncomfortable with that information being used and/or sold.
  • Second – it more clearly defines the definition of sale. CCPA currently defines a sale as the exchange of someone’s personal information for money “or other valuable consideration” which feels murky at best. Basically, it’s semantic that could impact legalese – especially if you find the right lawyer. So CPRA is aiming to clear things up by the splitting of personal information (see above) and applying that to the sale for either cash or company favor.
  •  Third – it would provide a way for California consumers to change inaccurate personal information collected by companies. Basically, you can request a company update their information and then the company becomes commercially responsible to update with reasonable effort.
  • Finally – it creates a formal body for the enforcement of the law making it feel like the strongest shift toward GDPR-type legislation overall. While enforcement currently lies with the AG, CPRA would ultimate create the California Privacy Protection Agency to enforce and implement the law and impose fines if a company is found to not adhere to the regulation. It is requested that this agency would have an annual budget of $10 million and could be the subject to voter focus in November as it’s not clear how that will impact state and local tax revenues.

Last question – what’s the timeline on this?

There are a couple hurdles to answering this cleanly.

  • Law adoption is first up. If CPRA continues on its current route, it would be on the California ballot on November 3.
  • However, If the California Legislators decide to go the route they did with CCPA, they could remove it from the ballot and create the law internally allowing for changes. This could be done at any time before the vote.
  • If it does go for a public vote on Nov 3 and passes, the law wouldn’t take effect until January 2023 and wouldn’t affect data collection prior to January 2022. Basically, the state has 2+ years to establish and fund the agency for enforcement and companies have a year to make sure all their ducks are in a row with compliance – similar to the timeline instated with the adoption and enforcement of GDPR in the EU.

What does this mean today? Honestly, not a lot, but it is important to keep on the radar especially for companies that collect, use or activate data. This could affect everything from loyalty programs to data collection companies using it for straight sale. But the bottom line is if you are a business who markets to or has customers in California, you need to keep an eye out for developments. If your company doesn’t have a connection to California today, you can maybe breathe a little easier, until/if/when national legislation becomes a factor.

**UPDATED** August 19, 2020

CCPA received its final approval from the California Office of Legislative Affairs on August 14. This means that the law is now defined for enforcement purposes. As reported by MediaPost, most of the final approved regulation were minor edits from the proposed, but there were a few tangible changes/clarifications. Removed was the requirement for companies to obtain explicit consent from consumers to use their information for different purposes than originally intended at collection as well as the requirement of companies to offer “easy for consumers to execute” opt-out mechanisms. While this drew criticism from Consumer Reports, it is not the only criticism of the revisions. Another is coming from the ad industry reacting to the regulation’s requirement that companies honor global do-not-sell request signals embedded in consumers “user-enabled” controls including browser settings. While these signals have existed for years, they have been widely ignored by the industry.

With the final details approved, the California Attorney General is now able to prosecute companies for non-compliance. If an offending company is identified, a notice of violation must be provided and will give the offender 30 days to come into compliance. If that is not met, the company could face a fine between $2,500 and $7,500 per violation.