Just when the dust was settling after months of intense GDPR prep, California did the unthinkable: Its state legislature wrote and passed a massive privacy law in less than three days. If you thought a 72-hour breach notification mandate was onerous ...
But sussing out the details of the bill — its scope, requirements, and potential liabilities, which, I can assure you, we're doing — isn't the only thing that's proving slippery for privacy pros. At a basic level, what that heck are we going to call it for short?
We famously have HIPAA — not to be confused with a hippo — and COPPA and PIPEDA. These are acronyms we pronounce: "hip-pa," "cop-pa" (sometimes "cope-pa," but not to be confused with CalOPPA, which sounds like "cal-oppa" and is a totally different law) and "pip-pe-da" (sometimes "pie-pee-dah"). On the other hand, we have the "G-D-P-R" and the "G-L-B-A." We sound out the letters and place "the" in front of the law. But when we pronounce the acronyms, we forego "the" and dive right into pronouncing it. I mean, who actually says "the H-I-P-A-A"?
Then there are the laws that fall in the middle. Some privacy pros say "fick-ra" for the FCRA. We here at the IAPP go with the "F-C-R-A," but "fick-ra" is cool, too. Even our flagship certification, the CIPP, is pronounced both ways, with some referring to it as the "sip" (though we prefer the "C-I-P-P" moniker). Heck, we have advisory board members who call us "eye-app."
Please don't do that.
But this stuff matters. Not only is it important that we all understand each other when we're referring to these laws, but with the power of Google and other search engines over the way people access information, we can't have some people searching "CalOPPA" and "COPPA" and expect the same results. That's why "define" is part of our mission here at the IAPP. Industries grow and prosper partly thanks to a common nomenclature and understanding.
With regard to the California Consumer Privacy Act of 2018, we've settled thus far upon CaCPA, or "kak-pa." Here's our reasoning.
First off, CaCPA's stately cousin, CalOPPA, has long been accepted. To match, we wanted to go with CalCPA. But here's the rub: There's this massive organization called the California Society of Certified Public Accountants, and they go by CalCPA. That would be a hashtag and SEO nightmare that we as an industry should try to avoid. We'd find ourselves at Summit being inundated with questions about whether this is GAAP or non-GAAP we're talking about here.
A quick glance at Google Trends is revealing. For those who are unfamiliar with the tool, we can compare search terms to see whether people are actively searching for a given word or phrase. Most notably, you'll notice that green line — which represents "California privacy law" — spikes June 24. Gee, I wonder why? You'll also see that "CalCPA" and "CCPA" are regularly searched.
A search of "CalCPA," both via Google and the Twitter hashtag, reveals that it is clearly the territory of the state's accountants. Personally, I'd prefer to not have to sift through dozens of daily "#CalCPA" tweets if I'm looking for the latest thought pieces on the law.
Plus, how do you even say that one? "Calk-pa"?
OK, so I think it's safe to say that CalCPA is out. Any objections?
Less definitively, "CCPA" is an acronym for at least a handful of organizations: This includes everything from the official website of Cumberland County, Pennsylvania, to the Chicago College of Performing Arts to the Charlotte Cooperative Purchasing Alliance. There are, however, a couple hits for California's new privacy law, and a search for "#CCPA" on Twitter reveals that it has been the hashtag of choice this past month.
So maybe CCPA is still in the running, but here's why we didn't go with it.
Early on, we decided to avoid CCPA (the "C-C-P-A") because we're talking about a state law. And the U.S. federal government has had the quasi-privacy Consumer Credit Protection Act since 1968. We don't want to step on toes! Further, since this is a state law, with a CalOPPA precedent, it seems more logical to keep the full up-style elements to federal-level laws.
Which brings us to CaCPA, or "kak-pa." Since the bill's surprising passage last month, we've referred to it as "kak-pa" in conversation, CaCPA in our content, and #CaCPA in our social posts. And no doubt, plenty of folks are frustrated with the law. I've personally seen it referred to as "CACA," or "ka-ka."
However, we recently received feedback that we cannot refer to it as CaCPA.
We cannot call it CaCPA. It reads like “cock-pa”. How about CalCPA?
— Mary Ellen Callahan (@MECPrivacy) July 25, 2018
Really, though, is "calk-pa" better?
I doubt the Californian surfer pronunciation will win - it will be the midwestern /Ohio middle American accent that will win. Hence cock-pa. And yet, we are still having folks call COPPA COPA, so we might not win... #privacyacronyms
— Mary Ellen Callahan (@MECPrivacy) July 25, 2018
Ultimately, of course, the people who are working with this law every day will decide the matter. Language coalesces and evolves. Just ask The Associated Press, which just finally relented and said go ahead and use "over" to mean "more than" since everyone's doing it. They also, however, just told journalists not to use HIPAA, but rather to either spell the law out or refer to it as the "federal health privacy law."
Why?
Because so many people have been writing "H-I-P-P-A"!
For now, we're sticking with CaCPA. But feel free to try to dissuade us in the comments.
By Makaristos [Public domain], from Wikimedia Commons