We are now two weeks into enforcement of the California Consumer Privacy Act, the first statewide internet privacy law in the U.S. But the legislation’s rocky road to this point could spell trouble for the two dozen other states and territories drafting bills with similar privacy protections and for businesses that are not yet compliant.
“This is just the beginning of a very complex story that’s unfolding. It’s just going to get worse for brands,” said Matt Voda, CEO of OptiMine Software Inc., a marketing measurement firm. “Companies need to take this seriously and understand the risks within their technology because it will get more complex. The time to act is now.”
The CCPA gives consumers the right to request their data be deleted or opt out of those companies from selling their personal information.
That mandate comes with its own challenges for businesses trying to comply with the law, including when a consumer asks to have their information deleted. “The brand now has to understand where a consumer’s data resides even beyond their own servers,” Voda said.
Privacy experts are expecting other states to begin ramping up efforts to adopt their own privacy legislation next year after there’s been time for California to fully implement and enforce its law, said Michelle Richardson, who directs the data and privacy project at the Center for Democracy and Technology.
Maine, California and Nevada have already enacted their own laws protecting consumer privacy, and 24 others have bills in development.
A look at which states have adopted privacy legislation
The backlash facing the California legislation represents “the danger of going first in any law or policy area,” Richardson said, adding, “There are going to be growing pains, and so it’s not necessarily a huge criticism.”
Other gray areas and questions persist, including whether a browser can universally opt out for a consumer. Which violations will be targeted for enforcement? And what about the privacy announcements of device manufacturers like Apple?
A proposed question on the upcoming November ballot calls for establishing a state enforcement agency.
Brands are complying, mostly
For the most part, it seems like brands are complying with CCPA, said Julie Rubash, vp of legal for Nativo, a native advertising platform. Specifically, publishers are still collecting data, “but in a transparent, privacy-compliant way,” Rubash added.
In terms of consumer behavior, not much has changed since CCPA became law in January. Only 0.91% of consumers in the Nativo marketplace have chosen to opt out of providing brands with their personal information, Rubash said.
It remains to be seen whether those sentiments change as privacy laws continue to be established in other states.
In the meantime, CCPA has left some businesses wondering how they should prioritize collecting and using consumers’ personal data. “That’s a question that all companies are going to be asking themselves, especially with things like Google sunsetting the third-party cookie,” said Rubash.
Among the worst offenders in collecting data are the platforms where consumers post about their everyday lives, said Britt Paris, assistant professor at Rutgers School of Communication and Information.
“We need to switch completely to cooperatively owned-and-run platforms and internet structures. That seems like a far-off hope,” Paris said, but noted laws like CCPA are a good starting point.
Save your virtual seat for nitronet NexTech, July 27-July 30th to explore privacy, data, attribution and the benchmarks that matter.