A new year means a slate of new laws went into effect across the country Jan. 1. For privacy pros, particularly those based in the United States, the big one in 2020 is the California Consumer Privacy Act. As people rang in the dawn of a new decade Tuesday night, the country's most comprehensive privacy law went into the books Wednesday, and the email inboxes of countless individuals filled up with new CCPA-related notices.
The CCPA is expected to affect approximately 500,000 businesses operating in the U.S., but legal gray areas in the law, such as the definition of "sale," have prompted an array of responses from covered companies. New data access rights for consumers also pose operational challenges for many organizations.
Different interpretations, different responses
In a blog post published last November, Microsoft announced it would honor the CCPA's data privacy rights to individuals throughout the U.S. The company announced a similar response in the wake of the EU General Data Protection Regulation when it went into effect in May 2018. Microsoft said it is also working with its enterprise customers to help them comply with the CCPA.
Last month, Facebook announced it was ready for the CCPA, noting, "For example, we built self-serve tools that let people access, download, and delete their information. We make these tools available to everyone on Facebook, regardless of where they live." The company also said it planned to "introduce a new supplemental notice" in January and that it will support its business partners, encouraging "advertisers and publishers that use our services to reach their own decisions on how to best comply with the law."
In response, Uber now offers a new opt-out to customers who do not want their data shared with Facebook for ad targeting. Uber Head of Security and Privacy Communications Melanie Ensign said, "Although we do not sell data, we felt like the spirit of the law encompassed this kind of advertising."
Google is also helping advertisers comply with the CCPA in Google Ads. It recently announced that it would build on a feature it designed in the wake of the GDPR "by offering restricted data processing ... to help advertisers, publishers and partners manage their compliance" with the CCPA.
Though the CCPA has been a headache for countless businesses, the advertising industry is especially feeling the pinch. "The law has created an enormous challenge for the [advertising] industry as well as others that are information-based industries," Interactive Advertising Bureau Senior Vice President Michael Hahn said in a report by the Financial Times. "There's no issue that has posed more of a problem to lawyers in the privacy and (adtech) space than what does the definition of 'sale' mean in a digital advertising context."
According to The New York Times, some companies, including Oracle and T-Mobile, have said they are responding but have yet to expand publicly about how they are complying.
Mozilla, however, has said all Firefox users will receive the CCPA's data privacy rights to delete personal information, particularly its telemetry data stored on its servers. "We decided to go the extra mile and expand user deletion rights to include deleting this telemetry data stored in our systems," Mozilla Vice President of Global Policy, Trust and Security Alan Davidson said.
Will other states follow? What about Capitol Hill?
In notifying consumers about CCPA-related changes, some companies have used the opportunity to call for federal privacy legislation.
Verizon Chief Privacy Officer Karen Zacharia, CIPP/US, offered some of her thoughts in a company blog post announcing the new policy changes, which include a new "privacy dashboard" to help users "preview" the types of data collected about them, adjust their privacy settings and marketing preferences, and request a download of their data and deletion of data not needed to provide Verizon services, among others.
In her post, Zacharia said Verizon has been advocating for federal privacy legislation for nearly a decade and "urges members of Congress to continue working together to make a national privacy law a reality in 2020."
This is a sentiment shared by many of the big tech companies, including Microsoft. In her November blog post, Microsoft Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer Julie Brill called upon "policymakers in other states and in Congress to build upon the progress made by California and go further by incorporating robust requirements that will make companies more responsible for the data they collect and use, and other key rights from GDPR."
Though a federal privacy law may be further down the road, some progress is taking place on Capitol Hill. Both Senate Democrats and Republicans have offered draft versions, each of which feature considerable overlap, though preemption and private right of action are major sticking points. IAPP Senior Westin Research Fellow Müge Fazlioglu, CIPP/E, CIPP/US, has detailed these draft bills.
In addition to driving policy talks in the nation's capital, the CCPA may also become a blueprint for other U.S. states to issue their own laws. New York, Illinois and Washington state are all expected to issue draft laws in 2020, according to Axios.
States will also continue to pass more sectoral privacy laws. Last year, Maine and Nevada passed sector-specific privacy laws, and Illinois is expanding privacy protections for users of genetic testing kits. New York's Stop Hacks and Improve Electronic Data Security Act goes into effect March 21, 2020, and "is bound to have far-reaching implications for (chief information security officers) from Wall Street to Upstate," according to a report from BankInfoSecurity.
Though it is hard to imagine any comprehensive bill to come out of a Capitol Hill embroiled in an impeachment inquiry and presidential election, the CCPA and other state laws will continue to drive talks in Washington.
"I have faith in the ability to get a strong privacy bill with willing partners," Sen. Maria Cantwell, D-Wash., recently told The Hill, but added, "I don't know if the United States Senate has the will to dedicate floor time to any major policy. We haven't demonstrated that thus far and that's what that would take too. ... Is that going to happen in 2020?" asked Cantwell, who would have to sign off on any bipartisan bill. "I don't know about that."
Though it's hard to predict what will happen with regard to a federal privacy bill in 2020, the reality is that the CCPA is here and other states will surely follow.
Photo via Good Free Photos