We are now two weeks into enforcement of the California Consumer Privacy Act, the first statewide internet privacy law in the U.S. But the legislation’s rocky road to this point could spell trouble for the two dozen other states and territories drafting bills with similar privacy protections, as well as businesses that are not yet compliant.
“This is just the beginning of a very complex story that’s unfolding. It’s just going to get worse for brands,” said Matt Voda, CEO of OptiMine Software Inc., a marketing measurement firm. “Companies need to take this seriously and understand the risks within their technology because it will get more complex. The time to act is now.”
CCPA gives consumers the right to request their data be deleted or opt out of having their personal information sold.
That mandate comes with its own challenges for businesses trying to comply with the law, including when a consumer asks to have their information deleted. “The brand now has to understand where a consumer’s data resides even beyond their own servers,” Voda said.
Privacy experts are expecting other states to begin ramping up efforts to adopt their own privacy legislation next year after there’s been time for California to fully implement and enforce its law, said Michelle Richardson, who directs the data and privacy project at the Center for Democracy and Technology.
Maine, California and Nevada have already enacted their own laws protecting consumer privacy, and 24 others have bills in development.
The backlash facing the California legislation represents “the danger of going first in any law or policy area,” Richardson said, adding, “There are going to be growing pains, and so it’s not necessarily a huge criticism.”
Other gray areas and questions persist, including whether a browser can universally opt out for a consumer. Which violations will be targeted for enforcement? And what about the privacy announcements of device manufacturers like Apple?
A proposed question on the upcoming November ballot calls for establishing a state enforcement agency.
Brands are complying, mostly
For the most part, it seems like brands are complying with CCPA, said Julie Rubash, vp of legal for Nativo, a native advertising platform. Specifically, publishers are still collecting data, “but in a transparent, privacy-compliant way,” Rubash added.
In terms of consumer behavior, not much has changed since CCPA became law in January. Only 0.91% of website visitors to publishers with inventory in the Nativo marketplace, and that implemented IAB’s CCPA framework, chose to opt out of the sale of their personal information.
It remains to be seen whether those sentiments change as privacy laws continue to be established in other states.
In the meantime, CCPA has left some businesses wondering how they should prioritize collecting and using consumers’ personal data. “That’s a question that all companies are going to be asking themselves, especially with things like Google sunsetting the third-party cookie,” said Rubash.
Among the worst offenders in collecting data are the platforms where consumers post about their everyday lives, according to Britt Paris, assistant professor at Rutgers School of Communication and Information.
“We need to switch completely to cooperatively owned and run platforms and internet structures. That seems like a far-off hope,” Paris said, but noted that laws like CCPA are a good starting point.