‘Companies have their hair on fire’: California privacy law compliance is likely to be a last-minute scramble
With less than a year until the California Consumer Privacy Act takes effect, it is looking more likely that there will be a last-minute scramble of companies trying to comply with the law, similar to the one seen last year in the lead up to the General Data Protection Regulation.
Dealing with the California privacy law “is more difficult than dealing with GDPR,” said Dan Jaffe, group evp for government relations at the Association of National Advertisers.
The California privacy law is especially challenging for companies trying to comply with it because the law is a moving target. The California state legislature may still pass amendments to the law this year, and those amendments could force companies to undo or redo their early compliance efforts. Additionally, the law takes a broad definition of personal information. For example, it covers any information that identifies or “could be reasonably linked, directly or indirectly” to an individual or household, according to its text. The inclusion of “reasonably” can complicate companies’ abilities to determine whether they are or are not subject to the law, a determination that will ultimately be up to the California attorney general’s office, which is charged with enforcing the law and has only recently begun a series of public hearings to solicit feedback on clarifications that may be needed.
“You’re trying to fix the plane while it’s in the air and not crash. The takeoff has already happened. The law has passed,” said Jaffe.
The first issue is just less time: Companies had four years between when the GDPR was approved and when it was enacted to have meetings and hearings with regulators to understand how companies are expected to comply with the law. For the California privacy law, companies will have had just shy of 18 months between when it was approved in July 2018 and when it will take effect on January 1, 2020. That window is made tighter by the fact that there remain a lot of unanswered questions regarding how companies are expected to comply with the law and it is unclear when or even if clarifications will be made.
Many questions, few answers
Those questions may or may not be answered during the six public hearings that the California attorney general’s office began hosting throughout the state in January. The attorney general’s office is using these hearings to solicit feedback on the rules it is responsible for making that companies are meant to adhere to when abiding the law. Then there’s the further complication of the potential for amendments to be made to the law.
Industry organizations, including the ANA and the Interactive Advertising Bureau, continue to relay clarification and change requests to the state attorney general and legislators. The ANA’s svp of government relations Christopher Oswald attended a public hearing that the attorney general’s office held on January 14 in San Diego to request five clarifications, and the IAB’s evp of public policy Dave Grimaldi plans to attend the hearing that will be held in Los Angeles on January 25 to similarly provide feedback. The IAB also plans to schedule a “lobby day,” in February to meet with state legislators in Sacramento, said Grimaldi.
No time to wait
Given that much of the law remains in limbo, companies looking to comply should operate under the assumption that the law will not change, Jaffe said.
In late November, law firm Perkins Coie hosted a fireside chat in its San Francisco office with California special assistant attorney general Eleanor Blume to discuss the California privacy law. “It’s pretty clear that she was taking a position that companies should really get started in their thinking about the CCPA and that they should not be hanging back waiting for amendments before they get started with thinking through what this might mean for their business,” said Dominique Shelton Leipzig, partner at Perkins Coie and co-chair of its ad tech privacy and data management practice.
Early compliance steps
Legal experts such as Leipzig and industry organizations including the IAB have recommended that companies should get started by taking an inventory of the data that they collect from people, including their own employees. This is important because when the law takes effect on January 1, 2020, companies will be responsible for the data that they collected over the prior twelve months, meaning that companies will need to review the data they have collected since January 1, 2019.
Companies that have had to comply with the GDPR should have already done this data management work and are likely “70 to 80 percent of the way home on CCPA compliance,” said Greg Leighton, partner at law firm Neal Gerber and Eisenberg. For these companies, Leighton’s general advice is to “continue to take a wait-and-see approach until at least Q3 or Q4” when clarifications are likely to have been made.
Companies that did not need to comply with the GDPR but meet the California law’s requirements — at least $25 million in gross revenue or deals with the data of at least 50,000 people or devices for business purposes or makes at least half its money from selling people’s data — will need to do the data inventory to assess the data coming into their companies, how that information is processed and how it is stored.
“There’s no way to do a compliance program for CCPA without doing those basic activities first,” Leighton said.
Once that data management work is done, then companies can look at low-hanging fruit like revamping their privacy policies to reflect the law, such as its requirements for companies that sell people’s data to provide people with a way to opt out of that sale and to request that the company deletes that data.
Maybe by that time, there will be more clarity into how companies are meant to comply with the law. And if not, at least companies will have done enough to indicate to the attorney general’s office that they did not spend the lead up to the law taking effect by sitting on their hands. “It’s more that companies have their hair on fire rather than they’ve been sitting on their hands,” said Jaffe.
‘Boomer spring break’: Alaska Airlines is creating its own hype house for boomer influencers
With boomers being many of the first people vaccinated in the United States, the ability to get back to travel is more prevalent for that audience. So too was the pent up demand, according to Natalie Bowman, director of marketing for Alaska Airlines.
‘An early red flag’: Mobile ad industry grapples with early uncertainties from Apple’s tracking crackdown
It’s been a week since iOS users started receiving notifications that they could turn off cross-app tracking and unsurprisingly it’s difficult to draw any meaningful conclusions so far.
‘Culture is our number one export’: How an Atlanta-based marketing collective is pushing for tangible diversity gains
After a year of calls for radical change in the name of George Floyd, a collective of Atlanta advertising professionals is calling on the industry to put its money where its mouth is.
SponsoredHow The Company Store is reimagining customer experiences for pandemic-era growth
Throughout the pandemic, some retail categories have been inherently successful. Home furnishings and décor are among them; with consumers spending so much more time at home, updates and renovations flourished. Criteo data from the first half of 2020 showed sales for items like outdoor furniture sets up 434% year over year, with other home items […]
‘Inflection point’: Microsoft’s GM of Global Advertising Business on privacy, ad business growth
Digiday caught up with Steve Sirich, to hear how the company is pitching advertisers today and how work-from-home has impacted the company’s ad business.
Facebook is ‘not a researchers-friendly space’ say academics encountering roadblocks to analyzing its 2020 election ad data
As governments aim to regulate social media to assuage problems with misinformation and election meddling, researchers are skeptical of restrictions in new political ad data from Facebook.