Fresh Off GDPR, Companies Puzzle Over Complying With California’s Privacy Law
Marketers and advertisers are scrambling to figure out how to comply with a new privacy law in California that takes a broad view of personal information and carries hefty fines for data breaches.
In one week in June, California lawmakers revived and passed a first-of-its-kind U.S. privacy legislation, known as the California Consumer Privacy Act, which will change the way that digital advertisers and tech companies use consumer data.
The new law came just after companies had rushed to comply with the European Union’s General Data Protection Regulation, which went into effect on May 25. But unlike the GDPR, which came after years of deliberation and gave corporations two years to become compliant, California companies have until Jan. 1, 2020, or 18 months from enactment, to get up to speed.
Companies have even less time than the California attorney general’s office, which has six months after the law goes into effect to formulate an enforcement strategy.
Under the new law, all California consumers have the right to opt out of the selling of private consumer information, and both California companies and those that collect and sell data on the state’s consumers must make that data easily accessible to residents.
In California, personal information includes any data that can be directly or indirectly associated with a particular consumer or household, such as an alias or phone number. In contrast, the EU law protects only information that directly or indirectly identifies the consumer, like an address, license plate number or a national identification number.
Dan Jaffe, executive vice president of government relations at the Association of National Advertisers, said he’s been calling members to see how the bill will impact them.
“I keep getting three or four pain points from everybody, but they’re different,” Jaffe said. “Now the question is how do you prioritize and make sense of it so that we end up with something that’s livable and makes sense, which is not an easy task, unfortunately.”
Jaffe said for ANA members, such as Unilever United States Inc., Apple Inc., and AT&T Inc., those “pain points” encompass the legislation’s broad definition of personal information and the penalties, including fines of up to $7,500 just per each instance of an intentional violation in a data breach.
The ANA is working with California lawmakers to pare down the state privacy law and with federal lawmakers to pass nationwide privacy legislation -- though that faces an uncertain path.
On the federal level, Jaffe said the ANA wants a comprehensive privacy law that is tough enough for regulators but easy enough for consumers to understand, to pre-empt a “hodgepodge of laws” coming from state governments.
“How likely that is, I don’t know,” he said. “It was not easy already, to say the least, but with a divided government I think that makes it even harder to get an agreement.”
One problem facing compliance preparations for the California privacy law is the lack of enforcement parameters, said Sunny Kang, a Stanford Law fellow who is on leave from her job as international consumer counsel at the Electronic Privacy Information Center, a research group.
In California, the attorney general’s office has until July 1, 2020, to figure out how to enforce the privacy legislation.
California Attorney General Xavier Becerra told the law’s sponsors, Assemblymember Ed Chau and state Sen. Robert Hertzberg, in an Aug. 22 letter that the data privacy law creates “unworkable obligations” and “serious operational challenges,” such as the lack of allocated resources for the new enforcement tools.
Kang said it was a serious problem that the law doesn’t have “specific powers delegated to the AG to audit and reprimand and issue warnings” to companies.
For some tech firms, becoming compliant with the new law won’t be much of an issue.
Thunder, a San Francisco-based ad tech company, works with brands, including AT&T and Anheuser-Busch InBev SA, to determine what advertisements consumers see, how often they see them and on which devices.
Chief Executive Victor Wong said his company, which also had to comply with GDPR, already has a database of the consumer information it collects that complies with the California law. Thunder will just need to add opt-out mechanisms for consumers, as GDPR instead requires opt-in tools.
Ray Kingman, CEO and founder of Semcasting, a Massachusetts-based data company that relies on IP address targeting, said his company plans to roll out an app in the next year so California consumers can see what data Semcasting has collected about them and how it’s being used.
“The idea is to give people the ability to say ‘Hey, what we know about you isn’t really all that threatening or inappropriate from a marketing perspective,’” Kingman said, “because including that information, even at an aggregated level, is going to beneficial to you as a consumer.”
The quick passage of a statewide data privacy law in California has also inspired similar legislation in Washington state, Massachusetts and New Jersey.
Much of the momentum behind state-mandated privacy legislation is the result of companies’ high level of compliance with the European Union’s GDPR and recent data breaches and misuses of personal data by American companies, said Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation, a nonprofit focused on digital rights, which has been supportive of the California law.
He said large companies should be able to know and obey varying privacy laws in different states.
“To operate a brick-and-mortar store, you have to obey labor laws, environmental laws, safety laws that vary from state to state,” he said. “So we don’t think it’s an unreasonable duty for bigger businesses to know what the privacy laws are in the 50 states.”
But Jaffe said for ANA members, following privacy laws on a state-by-state basis will create a headache for both consumers and companies, which is why the association is pushing for federal legislation.
Rep. Ro Khanna (D-Calif.), whose congressional district is in Silicon Valley, introduced the Internet Bill of Rights in October, laying out a framework for future privacy legislation in the 116th Congress that gives people the right to see what personal data companies are collecting, and opt in to third-party collection or sharing.
Khanna spoke about the framework in a phone interview Dec. 11, just as members of the House Judiciary Committee were questioning Google CEO Sundar Pichai about tech company products and capabilities not under Google’s purview. Khanna said that he’s worried that some lawmakers’ lack of tech literacy will hinder prospects of passing comprehensive privacy legislation in 2019, even though the reception to the Internet Bill of Rights has been positive so far.
Khanna said the new California law lacks necessary enforcement mechanisms and that any privacy law would need a strong federal enforcement agency -- like the Federal Trade Commission or Federal Communications Commission -- to be truly effective.
The Senate has started work toward creating national legislation. The Committee on Commerce, Science and Transportation, headed by Sen. John Thune (R-S.D.), has held hearings with industry experts and technology companies in recent months to collect ideas and feedback for a federal law.
“GDPR and CCPA have undoubtedly spurred our conversation about a national privacy framework, and they give us useful examples as we contemplate federal legislation,” Thune said in his opening remarks at an October hearing on consumer data privacy. Thune’s office declined recent comment, and pointed to his remarks at recent hearings as indicative of his views.
Jaffe said a lot is still up in the air next year.
“They had a worthy goal,” Jaffe said of California lawmakers. “But they might have created problems that are worse than the problems they were trying to solve.”
Sam Sabin previously worked at Morning Consult as a reporter covering tech.