The final rules for California’s digital privacy law have been published and they are… full of holes.
California's attorney general Xavier Becerra revealed the details [PDF] for how his office will define and enforce the landmark law, which is supposed to give residents of America's Golden State the right to demand what data companies hold on them, the right to request that this information is not sold, and the right to demand that it be deleted.
But despite the California Consumer Privacy Act (CCPA) passing two years ago, the rules still have huge gaps in how they will be applied; holes that will undoubtedly be exploited to avoid the intent of the law after the attorney general starts to enforce it on July 1.
Most significant is a failure to state that the vast databases companies like Google and Facebook are subject to the CCPA; an omission that tech giants are certain to view in their favor. Both companies have long argued that since they don’t directly sell personal information to advertisers, but only access to carefully segmented people on their platforms, that most privacy laws don’t apply to them.
Without an explicit statement that behavioral advertising comes under the “sale of data” terms within the CCPA, Google and Facebook will continue to use their own legal interpretations.
Another significant hole exists in the effort to introduce a single opt-out portal for consumers to indicate that they do not want their data to be stored – rather they have to do so for every individual website, service or app.
There are other significant holes, most of them surrounding definitions of key terms. Third-party cookies on websites remain a gray area – thanks to the lack of guidance – and that will be used by most online advertising companies to maintain the status quo.
California's politicians rush to gut internet privacy law with pro-tech giant amendmentsREAD MORE
There is also no clear guidance on what an opt-out button should look like or where it should be placed on a website, making it a virtual certainty that companies will find ways to greatly reduce its usage.
Taken together, the CCPA – which, remember, was passed only because private citizens threatened to put the same protections into a ballot measure that was almost certain to pass – could end up a largely toothless piece of legislation that is entirely reliant on the attorney general’s office to apply on a case-by-case basis. Or, in other words, become irrelevant to companies like Google and Facebook who were the targets of the law in the first place.
There is some good news: efforts to significantly narrow the definition of “personal information” have been rejected and will remain the same as under current law (Civil Code § 1798.140(o) if you want to know) – and that is broad.
And despite concerted efforts by tech giants to water down the law in Sacramento, it passed largely unscathed and nothing in the attorney general’s rules appear to backtrack on that, even if the deliberate failure to define things opens up many legal loopholes.
Take it out of his hands?
As for Becerra himself, he said in a statement that the law was “game-changing and historic,” arguing that it “gives consumers choice and control over personal information in the marketplace.”
Not everyone agrees. The folks that effectively pushed the CCPA onto the law books in the first place have decided that- thanks to tech lobbying the end result has not been what they wanted – have launched into another ballot initiative that will likely be put in front of Californian voters in November that would strengthen and expand the privacy law.
One of the key components of that ballot initiative? A measure that would take the interpretation of the CCPA away from California’s attorney general and give it to a new regulatory body. ®