CCPA Is Officially Being Enforced, but There Are Still Unanswered Questions

A ballot initiative in November could add more to the law

a gray handprint with purple splattered across it
Though CCPA is fully enforceable, there still is uncertainty over what constitutes as a sale.
Pixabay, Getty Images

Key insights:

Enforcement of the California Consumer Privacy Act (CCPA) officially begins July 1, but unclear guidelines and upcoming ballot initiatives can make complying with the law difficult.

The law, which went into effect Jan. 1, gives internet users in California the right to request businesses to not sell, and even delete, their personal information. But there are still questions around what counts as selling information and which party manages opt outs.

CCPA defines a sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration,” according to the California Legislature’s website.

Gray areas

Jessica Lee, a partner at law firm Loeb and Loeb, said that definition doesn’t provide enough clarity for the industry.

“There are some activities that are clearly sales, and then there are a lot of activities that fall in the gray area. And there’s no industry alignment with respect to what exactly is a sale or when a sale occurs,” Lee said.

There’s also concern over whether the web browser or device can create a universal opt out, said Aaron Tantleff, a partner at Foley and Lardner. Companies must give consumers the option to opt out of their data being sold, but there could be a conflict if the hosting browser or device gives the same option.

“Does that mean that a company has to comply with that because it’s the setting on the browser or the device? … Or do they only need to comply when a user specifically says to that company, via the web link they’ve created or some other mechanism, ‘Do not sell’?” Tantleff said.

The general consensus in the industry is that enforcement will provide clarification of these ambiguities. Under CCPA, companies are given a 30-day cure period to rectify their behavior if they are found to be noncompliant.

Differing interpretations

Daniel Sepulveda, svp of policy and advocacy of MediaMath, said the demand-side platform registered as a data broker and that it’s taking a “conservative view” to the law.

“There are companies that operate much in the same way we do who do not consider themselves data brokers. But again, I think that’s all going to work itself out as enforcement moves into place, and then that’ll signal downstream,” Sepulveda said.

California Attorney General Xavier Becerra will likely prioritize enforcing companies that sell or handle children’s data or other “egregious violators,” said Lee, who expects to see some action take place before the end of the year.

“I imagine that the attorney general would be motivated to at least have some initial action and some initial enforcement that I imagine could come potentially as early as the fall,” said Lee.

Further complications to come?

CCPA as we know it may also change by November. The California Privacy Rights Act (CPRA) is a ballot initiative, which is expected to pass, that would expand upon CCPA and create an enforcement agency.

For example, CPRA would expand the definition of a business to an entity that buys, sells or shares the personal information of 100,000 or more consumers or households. The previous threshold was 50,000, so the change will likely help small businesses.

Under CCPA, consumers have the right to know what specific pieces of information a company has collected them over a 12-month period. CPRA would extend that period to any time so long as it takes “proportionate effort,” said Tantleff.

CPRA would also establish the California Privacy Protection Agency, a separately funded group that would enforce the proposed ballot initiative.

NexTech, July 27-30, 2020 Save your virtual seat for Adweek NexTech, July 27-July 30th to explore privacy, data, attribution and the benchmarks that matter. Learn more.

Recommended articles