Today is the first day that California will start enforcing its new data privacy law, so if your website doesn’t have a “Do not sell my personal information” link in, say, the footer, you may soon regret it.
The California Consumer Privacy Act (CCPA) was passed two years ago and came into force on January 1, though from today, July 1, the US state’s Attorney General Xaiver Becerra will start enforcing it.
In the past few days, Becerra has been indicating where that enforcement will be coming down hard on businesses that do not have a button or link on their websites that leads to a page explaining how someone can opt-out of having their personal data repackaged and sold.
There is no agreed, standard way to implement that link, and the AG’s office moved away from insisting that a specific button be used, but the most common approach has become to add the phrase “Do not sell my personal information” or just “Do not sell” in the footer of your website so it appears on every page, and make it link to a set of CCPA-compliant instructions. (The Register has had one since January for US readers.)
If you don’t have that link and follow-up mechanism, and you are a company that makes more than $25m a year from Californian customers, then you are likely to be under the spotlight soon. Becerra has also made it clear he will start enforcing the rules aggressively: he criticized the slow enforcement of Europe’s GDPR and has already said he expects to open three simultaneous lawsuits against large companies, as well as a raft of small fines for lesser victims just to make it plain that no one is going to be able to hide from the law.
The Do Not Sell link is also the first step in an instructional infographic the AG’s office put out this week to help people understand the process.
Complaints already in
The next enforcement point will be handling complaints already received from Californians. All companies should have been compliant with the CCPA since January, and Becerra has rejected repeat requests to delay enforcement by pointing that fact out.
Becerra said this week his office had received “a lot” of complaints, with the largest number being folks asking for their personal data from organizations and never receiving it. The second largest category was people who asked for their data to be deleted – and then it wasn’t. So if your company is not able to do either of those things, especially if you have had requests to do so from netizens, then you are also in the cross-hairs.
California emits fine-print of its GDPR-ish digital privacy law, complete with Google and Facebook-sized holesREAD MORE
All of which may see you – yes, you Reg readers – inundated with data deletion requests, according to one man who knows more than most about what’s going on.
Dan Clarke is president of computer consultancy IntraEdge and, together with Intel, his company developed software specifically designed to deal with GDPR requests; software that has since been expanded to deal with California’ CCPA.
Clarke tells us there are estimated 500,000 companies that have not had to deal with GDPR (in large part because they don’t have European customers) that will have to follow CCPA requirements. Those requirements are not that complicated on paper: a company has to be able to supply a customer with whatever information they may hold on them; it has to be able to delete that data if requested; and it has to be able to allow customers to opt-out of that information being sold.
In reality, however, with the mish-mash of different systems that companies typically have working in the background, this can prove difficult – especially the deletion part since the data can be backed up around systems worldwide. And so the burden has been falling on – you guessed it – IT folks.
Clarke admits that manual deletion may work fine for many smaller companies that don’t receive a lot of requests but notes that IT folks are often less excited about the prospect of a long list of data deletion requests clogging up their ticketing system. Coincidentally he sells a system to do just that.
When the first lawsuits and fines start coming down, and Clarke reckons that is going to happen sooner rather than later, many companies are likely to be hit with a double-whammy of greater consumer awareness, and so more deletion requests, and the suits insisting a system be put in place immediately. It’s only a matter of time before the Attorney General’s office signals its intent through a press release naming and shaming companies that aren’t compliant.
Clarke is obviously hoping people will buy and use his company’s software but he also has some pragmatic advice: start doing something now to show that you’re trying. Becerra has indicated that he will go first for companies that are in flagrant violation of the CCPA. So getting the ball rolling on a new data system is better than waiting to see what happens.
Not that everyone is enthusiastic about CCPA. The libertarian think-tank the Competitive Enterprise Institute (CEI) is not a fan of California’s approach, telling The Reg that the CCPA “fundamentally flawed.”
“Not only does the law impose a litany of burdensome rules on businesses of all shapes and sizes, but for all its complexity it is painfully unclear in many important areas including how it defines 'personal information’,” the organization complained, saying a federal law is needed.
Let's get federal
One of the CEI’s research fellows, Patrick Hedger, told The Register: “We are definitely supportive of a federal privacy law. The World Wide Web is fundamentally interstate commerce and Congress needs to ensure California or any other state’s laws do not bleed across their borders.”
Hedger also notes another common complaint: that the CCPA still contains a significant number of ambiguities that make it hard to discern precisely what companies need to do.
“We believe the entirety of the enforcement of this law ought to be delayed given the Covid-19 crisis as well as the fact that we still do not have ‘final’ rules related to many of the provisions of the CCPA,” he told us. “This is particularly concerning given the fact that the definition of ‘personal information’ itself has yet to be finalized.”
But if you think all that was disruptive enough, consider this: a new set of stricter data privacy measures called the California Privacy Rights Act (CPRA) received enough support last month to get on the California ballot in November.
The CPRA is much more closely aligned with Europe’s GDPR and will introduce a range of new measures, tripling fines for violations related to children's data, opt-in consent to collect data from minors, allow users to opt out of the sharing of their sensitive health, financial and precise geolocation data, and create a new privacy agency that would be tasked with enforcing the law - taking the job away from the Attorney General altogether.
If passed, CPRA will take effect in January 2023. ®