More than eighteen months after the General Data Protection Regulation took effect, the fallout from Europe’s privacy law has been minimal. The same will not be true of the California Consumer Privacy Act, which takes effect on Jan. 1.
Because the California Attorney General’s office is not expected to be able to enforce the CCPA until July 1, some industry executives are of the mind that much of 2020 will serve as a grace period for companies to sort out changes they need to make to their businesses. That is misguided.
The AG’s office may not be able to enforce the CCPA until mid-year, but at that point it will be able to penalize companies for privacy violations dating back to the beginning of the year. By then companies may already be feeling the privacy law’s pinch with some advertisers planning to pull back on targeted advertising and the potential for sites’ CCPA-mandated notices to scare off visitors to publishers’ properties.
“We’ve already talked to some companies who either have decided or are considering to pull their marketing programs from California. So there may be some fallout. It might just be a temporary thing for them to see where the cards fall,” said Rachel Glasser, global chief privacy officer at Wunderman Thompson.
Even if only temporarily, advertiser pullback would put publishers’ and ad tech companies’ businesses in a bind. But those companies are also facing more permanent predicaments.
Any company that sells California residents’ personal information under the law’s broad definition of sale is required to put a “clear and conspicuous” link on its homepage titled “Do Not Sell My Personal Information” for people to request the company to stop selling their information.
One publisher said they hope the notice will meet the same banner blindness as sites’ cookie notices, multiple ad tech execs said that some publishers are fearful enough that the notice will sabotage site traffic that they are considering not adding it to their sites even if it seems they would be required to do so. “Unfortunately there are some law firm attorneys running around saying this is a button of shame,” said one ad tech exec.
Shame should be less of a concern to companies than lawsuits. Even publishers that have had to comply with the GDPR and would seem well positioned to comply with the CCPA are concerned that lawyers and consumer privacy advocates will pressure-test companies for failures to comply with CCPA-related data requests. If they do, publishers that don’t have many logged-in users and rely on cookies to collect information would be in a particularly precarious position.
“If you visited our site on Jan. 5 and in May you reach out and say ‘I visited your site in January and want to know everything you have on me or I opted out and want you to prove you didn’t collect anything on my session,’ that’s going to be extremely hard for a lot of publishers to comply with,” said a publisher.
And that’s all just preamble to July when the AG’s office gains the ability to enforce the CCPA. For anyone of the mind that the AG’s office will wait to enforce the law, California AG Xavier Becerra appears set on disabusing them of that notion.
In a press conference on Dec. 16, Becerra said that his office will be “aggressive” and “early” in its enforcement of the CCPA, especially with respect to the personal information companies collect from children under the age of 17, according to the San Francisco Chronicle. “Our job is to make sure there’s compliance, so we’ll enforce,” Becerra said.