This morning we reported on the path to passage of the Californa Consumer Privacy Act (CCPA), a data privacy initiative adopted unanimously by the California State Assembly.
The legislation as ultimately constituted was shepherded through in something of a hurry. The bill was introduced one week before it was passed, and signed hours later by Governor Jerry Brown. Now begins a waiting — and lobbying — period, as interested parties will likely seek to have the legislation amended before it comes into effect at the beginning of 2020.
The tech industry and the associations which represent it are suddenly beginning to stir. Internet Assocation VP for state and government affairs told The Hill: “Data regulation policy is complex and impacts every sector of the economy, including the internet industry. That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning. It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”
In a statement, Google spokesperson Katherine Williams said the law “came together under extreme time pressure, and imposes sweeping novel obligations on thousands of large and small businesses around the world, across every industry. We appreciate that California legislators recognize these issues and we look forward to improvements to address the many unintended consequences of th?e law.”
Consumer advocacy groups will, of course, move on to lobby for similar legislation in other states.
How strongly does CCPA resemble GDPR? It does crack down on vague, ambiguous routes to consent. Users must be provided with “a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information.” On the other hand, this is a route to opting out rather than — GDPR-style — opting in. Complicating matters, however, positive, opt-in consent is required from consumers under the age of 16.
And while the legislation empowers Californian consumers it does, of course, impact non-Californian businesses doing business in California. Specifically, it applies to any for-profit business “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California” (full text of legislation here).
But it’s not hunting very small businesses, or businesses with only a cursory interested in data collection and dissemination. You need to have gross annual revenues in excess of $25 million; deal in the data of more than 50,000 persons, households, or devices; and — this is important — derive 50% of more of annual revenues from selling personal information.
That last qualification, as currently drafted at least, seems to narrow the scope of businesses affected considerably. But CCPA does give business owners — and lawyers — something new to think about.
Tomorrow: marketing tech figures comment on the legislation