Our Initial Thoughts on California’s Consumer Privacy Act (CCPA)

If you think back six weeks — granted, a difficult task in 2018 — you may recall hearing something about a new privacy law in California. It was framed as if Godzilla had loosened his grip on Tokyo (Tokyo is a stand-in for the EU in this metaphor) and leaped across the Pacific, landing squarely in Silicon Valley, ready for destruction. As quickly as it came, though, it was gone. And nary a building was toppled. We should be paying more attention.

California governor, Jerry Brown, hastily signed Assembly Bill 375 into law on June 28, the very same day that it came to and cleared the floor. National publications heralded the bill, referred to as the California Consumer Privacy Act (CCPA), as GDPR lite, a characterization that sounded alarm bells in most industries. GDPR lite is a misnomer, though, as CCPA expands upon GDPR in a few meaningful ways.

Even more telling, the expediency displayed in its passing was no mistake. The California legislature, facing a sure-to-pass, far-more-restrictive, and difficult-to-modify version of the bill — a ballot measure brought by Californians for Consumer Privacy — took the less painful of the two routes. Interesting enough, the Thursday on which CCPA passed also happened to mark the last day on which the ballot measure could be pulled from consideration.

For a brief moment, it appeared that we may have gained some wisdom and foresight from our recent bout with GDPR. Attention precipitously dropped as the ever-shortening news cycle moved along. Within two weeks, the public conversation around CCPA seemed reminiscent of that around GDPR in 2017: somewhat non-existent.

As we saw with GDPR, the likelihood of organizations to take preparatory action is negatively correlated to the amount of time remaining before implementation, exponentially so in some cases. Empirically, it’s not surprising that, with an actual implementation date of January 1, 2020, CCPA isn’t exactly looming in our collective consciousness.

That’s 512 days away, you say? No sweat. It certainly leaves a lot of opportunity for the considerable opposition to lobby for amendments to the law’s scope. We’re probably okay to ignore it for at least 508 days.

As Shakespeare’s Mercutio would say to everyone thinking this, “a pox on your house“!

Potential changes to the law notwithstanding, its current form and significant future impact on most organizations, I think, warrants comprehensive consideration and preparation. Without going into too much detail here, the fact that the law poses the thought of running two separate websites, one for California and one for the rest of the US, as a means of compliance is reason enough to take pause.

Further, CCPA and the politics of how it came to pass speak to the broader course of privacy-related regulation globally, a topic that will be critical to the formulation of macro-level strategy in the years to come.

I make a big deal about this for many reasons, some of which we’ll explore in depth, but simply put: this is obviously something that people care about. They care so much so that nearly 700k Californian petitioners, backed by only $3.5 million, bent a trillion-dollar industry to their will by way of landslide votes in the CA House and Senate. That’s saying something.

As much as we talk about brands forming deeper bonds with their customers through digital media, that rhetoric rings hollow if we don’t sincerely respect their wishes, particularly regarding something as sensitive as personal data.

The fleeting, superficial coverage of CCPA failed to convey the gravity of its implied future state — an error, to be sure — but a stronger indictment could be made in the wake of GDPR of the current failure to warn against similar unpreparedness heading into 2020. Recognizing this shrugging-off of impending regulation by the regulated, a number of questions arise that need answering.

Doesn’t the US already have privacy laws? What gives?

What exactly does CCPA require of organizations, and how does one know whether it applies in their situation?

How does CCPA overlap with and add to GDPR?

What are the implications of non-compliance, and how do the concepts of jurisdiction and enforcement compare to other regulations?

Wild speculation about the future of regulation in the US and globally (maybe based on case studies of previously regulated practices).

What is the market doing to address privacy concerns outside of introducing regulation?

The scope of inquiry here is pretty broad but necessary. So, it’s time to dust off the white- paper-writing hat and get to work. In the meantime, the one piece of advice I can offer without reservation is this: I’m not a lawyer. You need a lawyer to provide professional guidance on CCPA. Please, please hire a lawyer.

To read the CCPA in its entirety, you can find the legislation here.