Companies have less than five months before California’s landmark privacy law, which has the power to reshape the way American companies do business, goes into effect. But there’s a big problem: There’s no clear model for how to comply or who exactly is subject to the rules.
Starting Jan. 1, California residents will be able to opt-out of the sale of their personal information and also request to see the data collected about them from companies that meet specific revenue or collection thresholds. Companies then have 45 days to respond to such inquiries.
However, as the California Consumer Privacy Act is written now, both privacy consultants and legal experts are concerned that a wide range of issues — such as vague definitions and mechanism descriptions regarding how firms should collect and share data — could make accurately responding to those requests impossible. And experts note it doesn’t help that the state attorney general’s office has until July 1, six months after enactment, to lay out how it plans to enforce the law.
Scott McDonald, chief executive officer and president of the Advertising Research Foundation, a nonprofit industry association, likened it to the Internal Revenue Service failing to publish detailed regulations for a new tax law. “People then say, ‘I want to pay my taxes and be a good citizen, but how am I supposed to do that if it’s not spelled out in detail?’”
The California Consumer Privacy Act — which was revived and passed within a week during last summer’s legislative session — mandates that companies that bring in $25 million in annual revenue; collect at least 50,000 pieces of information from California residents, households or devices; or derive more than 50 percent of their business by selling consumer data must be in compliance by next year.
Get the latest global tech news and analysis delivered to your inbox every morning.
But some experts are worried that the law fails to explicitly define covered entities, which makes it unclear whether the threshold of $25 million in annual revenue refers to income from business conducted in California, the United States or globally. And others are concerned about the lack of clarity on how state Attorney General Xavier Becerra’s office expects companies to share user information with consumers.
Jim Halpert, the Washington-based global head of the cybersecurity practice at law firm DLA Piper, said given these ambiguities, it’s impossible for any company to reach 100 percent compliance with the state’s forthcoming privacy law as it currently stands.
Halpert, who has represented clients in major security and privacy cases in both the federal courts and before the Federal Trade Commission, said the largest issue is that it’s unclear which data sources companies need to pull from to successfully fulfill a consumer’s request to either look at the data stored about them or delete it. For example, a brick-and-mortar store might collect information about a customer during online transactions, through interactions with a customer-support phone call, video surveillance at physical retail locations, and third-party email marketing companies hired to reach current and potential customers.
Under CCPA, Halpert said it appears as if companies will need to pull together all of this information to give to a consumer — which is tricky given the nature of how it’s stored — but the law doesn’t clarify if that’s actually the case. And Halpert added that state lawmakers aren’t expected to clear up vague definitions and expectations this year, with those in Sacramento gearing up to battle over possible last-minute amendments that could water down the law’s overall scope.
“The ambiguities are just not a high-enough priority for the different sides in the discussion in Sacramento,” he said.
Becerra’s office is expected to dole out recommendations this fall on what responses to the consumer data requests could look like, Halpert said. But Jay Cline, PwC’s U.S. privacy services leader, noted companies can’t afford to wait: They need to start working with their IT teams this summer, at the latest, to update data storage systems, to leave enough time for testing before they receive their first consumer data request.
Becerra’s office did not respond to a request for comment.
Cline said he is advising clients to take this time to also focus on establishing a system that is flexible and encompassing enough that only a few tweaks and adjustments are needed if a federal standard is ever handed down. This requires a thorough assessment of current privacy measures to figure out where a company has what Cline calls a “compliance gap,” or the difference between what the company is already doing to collect and store data and what they need to do to comply.
But diving into the process won’t be cheap: Per an analysis from the Information Technology and Innovation Foundation, a tech think tank that supports a federal privacy law that would preempt any state legislation, if a law similar to California’s or the European Union’s General Data Protection Regulation were implemented on the federal level, American businesses overall could anticipate spending $7.2 billion in compliance costs to provide consumers with the right to data access, deletion, data portability and rectification.
And according to a poll conducted by MediaPro, a cybersecurity and privacy training group, in April among 1,004 U.S. employees, 46 percent of those surveyed say they have “never heard” of the California law — setting up a potential problem for companies that need to train staff members who know nothing about the law but will be expected to assist with consumer data requests or oversee other compliance efforts.
Matt Fanelli, senior vice president at MNI Targeted Media Inc., said the wave of privacy laws either being enacted or considered at the state level is prompting many companies to ask whether it’s time for them to “self-regulate and govern” themselves now or “wait for the tidal wave” of public or government backlash to knock them down. Facebook Inc. CEO Mark Zuckerberg appearing before Congress last year to testify about his company’s data collection processes serves as the pivotal example of the wave crashing down, he said.
“Consumers are not going to want to interact with companies moving forward that they deem as ‘shady,’” Fanelli said.
On the federal level, lawmakers in both chambers of Congress have yet to release a long-awaited draft of a comprehensive privacy bill. The House Energy and Commerce Committee is said to be targeting the end of September or early October to unveil its bill, and the six-person Senate Commerce Committee working group reportedly hit a stalemate earlier in the summer, with Axios reporting that ranking member Maria Cantwell (D-Wash.) opted to only negotiate with committee Chairman Roger Wicker (R-Miss.).
Experts now say their clients aren’t holding out hope that a federal bill would be unveiled in time to preempt California’s law — making compliance efforts all the more important.
But Carl Szabo, vice president and general counsel of industry group NetChoice, which has been advocating against CCPA, said he believes that the California privacy law may not actually go into effect on Jan. 1. He noted that it will likely face a number of legal challenges on the basis that certain components violate the First Amendment, along with other legal precedents, that would prompt a court injunction to halt the law’s enactment.
“You haven’t seen a single state pass legislation or move legislation that looks like CCPA, and I think that’s because state lawmakers are realizing its rushed and flawed nature and are letting California walk off a cliff before they follow suit,” he said.