‘Companies have their hair on fire’: California privacy law compliance is likely to be a last-minute scramble
With less than a year until the California Consumer Privacy Act takes effect, it is looking more likely that there will be a last-minute scramble of companies trying to comply with the law, similar to the one seen last year in the lead up to the General Data Protection Regulation.
Dealing with the California privacy law “is more difficult than dealing with GDPR,” said Dan Jaffe, group evp for government relations at the Association of National Advertisers.
The California privacy law is especially challenging for companies trying to comply with it because the law is a moving target. The California state legislature may still pass amendments to the law this year, and those amendments could force companies to undo or redo their early compliance efforts. Additionally, the law takes a broad definition of personal information. For example, it covers any information that identifies or “could be reasonably linked, directly or indirectly” to an individual or household, according to its text. The inclusion of “reasonably” can complicate companies’ abilities to determine whether they are or are not subject to the law, a determination that will ultimately be up to the California attorney general’s office, which is charged with enforcing the law and has only recently begun a series of public hearings to solicit feedback on clarifications that may be needed.
“You’re trying to fix the plane while it’s in the air and not crash. The takeoff has already happened. The law has passed,” said Jaffe.
The first issue is just less time: Companies had four years between when the GDPR was approved and when it was enacted to have meetings and hearings with regulators to understand how companies are expected to comply with the law. For the California privacy law, companies will have had just shy of 18 months between when it was approved in July 2018 and when it will take effect on January 1, 2020. That window is made tighter by the fact that there remain a lot of unanswered questions regarding how companies are expected to comply with the law and it is unclear when or even if clarifications will be made.
Many questions, few answers
Those questions may or may not be answered during the six public hearings that the California attorney general’s office began hosting throughout the state in January. The attorney general’s office is using these hearings to solicit feedback on the rules it is responsible for making that companies are meant to adhere to when abiding the law. Then there’s the further complication of the potential for amendments to be made to the law.
Industry organizations, including the ANA and the Interactive Advertising Bureau, continue to relay clarification and change requests to the state attorney general and legislators. The ANA’s svp of government relations Christopher Oswald attended a public hearing that the attorney general’s office held on January 14 in San Diego to request five clarifications, and the IAB’s evp of public policy Dave Grimaldi plans to attend the hearing that will be held in Los Angeles on January 25 to similarly provide feedback. The IAB also plans to schedule a “lobby day,” in February to meet with state legislators in Sacramento, said Grimaldi.
No time to wait
Given that much of the law remains in limbo, companies looking to comply should operate under the assumption that the law will not change, Jaffe said.
In late November, law firm Perkins Coie hosted a fireside chat in its San Francisco office with California special assistant attorney general Eleanor Blume to discuss the California privacy law. “It’s pretty clear that she was taking a position that companies should really get started in their thinking about the CCPA and that they should not be hanging back waiting for amendments before they get started with thinking through what this might mean for their business,” said Dominique Shelton Leipzig, partner at Perkins Coie and co-chair of its ad tech privacy and data management practice.
Early compliance steps
Legal experts such as Leipzig and industry organizations including the IAB have recommended that companies should get started by taking an inventory of the data that they collect from people, including their own employees. This is important because when the law takes effect on January 1, 2020, companies will be responsible for the data that they collected over the prior twelve months, meaning that companies will need to review the data they have collected since January 1, 2019.
Companies that have had to comply with the GDPR should have already done this data management work and are likely “70 to 80 percent of the way home on CCPA compliance,” said Greg Leighton, partner at law firm Neal Gerber and Eisenberg. For these companies, Leighton’s general advice is to “continue to take a wait-and-see approach until at least Q3 or Q4” when clarifications are likely to have been made.
Companies that did not need to comply with the GDPR but meet the California law’s requirements — at least $25 million in gross revenue or deals with the data of at least 50,000 people or devices for business purposes or makes at least half its money from selling people’s data — will need to do the data inventory to assess the data coming into their companies, how that information is processed and how it is stored.
“There’s no way to do a compliance program for CCPA without doing those basic activities first,” Leighton said.
Once that data management work is done, then companies can look at low-hanging fruit like revamping their privacy policies to reflect the law, such as its requirements for companies that sell people’s data to provide people with a way to opt out of that sale and to request that the company deletes that data.
Maybe by that time, there will be more clarity into how companies are meant to comply with the law. And if not, at least companies will have done enough to indicate to the attorney general’s office that they did not spend the lead up to the law taking effect by sitting on their hands. “It’s more that companies have their hair on fire rather than they’ve been sitting on their hands,” said Jaffe.
‘I was actually relieved to get fired’: Confessions of a burned out brand salesperson
To combat burnout, employers across the industry have rolled out numerous policies. Still, employees say intense workloads continue to push them to the limit.
Understanding Google’s FLoC replacement Topics, and its unanswered questions
While privacy advocates are saying this doesn't go far enough, advertisers may think this won't be targeted enough.
Why Turkey is becoming the Silicon Valley of mobile gaming
Turkey’s gaming industry is mobile-first; few, if any, Turkish game developers focus on major console titles. Unlike console developers, who can spend years fine-tuning their games, mobile game developers are able to follow a spray-and-pray strategy, cranking out scores of mobile titles until one catches on.
SponsoredHow online commerce platforms can deliver safer shopping experiences
Marni Levine, vice president, commerce operations, Meta In the wake of the pandemic, commerce underwent a rapid shift online, exponentially accelerating and forcing businesses of all sizes to adapt. Now moving into 2022, these trends will only continue as people have grown accustomed to shopping online more for all their needs. According to a PwC […]
Google readies new interest-based advertising in next phase of Privacy Sandbox experiments
Google is trialing a new proposal in its Privacy Sandbox initiative called 'Topics' which it claims will facilitate interest-based advertising long after it sunsets third-party cookies in its Chrome browser in 2023.
Member ExclusiveMarketing Briefing: ‘Bad behavior is positively rewarded’: Why brands continue to push the line on social posts
But recent posts, like Pabst Blue Ribbon’s sexually explicit tweet that got its social media manager fired as well as brands like Ruggables, Hellman’s mayonnaise and Peacock, among others, jumping into TikTok’s West Elm Caleb trend on TikTok have some in the industry questioning were the line is when it comes to standing out or going too far on social media.