“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Gary Kibel, a partner in the digital media, technology and privacy practice group at Davis & Gilbert.
The rollout of the California Consumer Privacy Act (CCPA) has been, perhaps, the most disjointed process for such a significant legal development in recent memory. While the latest revisions to the proposed draft regulations contain many positive developments, many in the ad tech industry can’t help but feel like Charlie Brown, trying his best to kick a football while Lucy makes that seemingly simple task impossible.
The CCPA was dropped into the laps of the industry without much input and contained typos, inherent conflicts and more ambiguity than clarity. A series of amendments in 2018 and 2019 made progress, but still didn’t give the industry a clear blueprint for compliance.
Ahead of the Jan. 1, 2020 effective date, the California attorney general issued “draft” regulations on Oct. 11, 2019. That gave businesses less than two months until the CCPA went live, and they scrambled to implement compliance procedures based on proposed regulations that may or may not have ultimately been the official rules of the road. That meant businesses had to revise privacy policies, amend existing contracts, launch consumer choice mechanisms and build out internal processes, all with blinders on.
The industry lobbied the attorney general to revise these draft regulations during the open comment period, but once the comment period closed in December, the industry had to jump off the CCPA cliff not knowing what was at the bottom.
Last Friday, just before 5 pm EST, the California attorney general issued revised draft regulations. (Guess what the ad tech industry did that weekend.) Another update released Monday corrected one omission. These revisions do contain many positives, such as clarity on how sale opt-outs should be processed, procedures for consumer access, disclosures in a privacy policy and data broker obligations. There were also new requirements, such as WCAG 2.1 standards to make website disclosures accessible to those with disabilities, and just-in-time notices on mobile so that users are presented with messaging and pop-ups at the moment their personal information is collected for unexpected purposes.
But these regulations are still not final. In our second month living in a CCPA world, we still do not know the final rules for compliance.
The ad tech industry often complained about Europe’s General Data Protection Regulation (GDPR), but in hindsight, the GDPR rollout looks awfully pretty. After the EU finalized the rules, it gave the industry two full years to become compliant.
All laws presumably have important societal goals and the government should want to encourage compliance. The CCPA process thus far has been filled with uncertainty, with continually moving goal posts, and it has not felt like compliance has been top of mind.
Given that the rules are not yet final, if someone says they are completely CCPA compliant, they must be the great seer, soothsayer and sage Carnac the Magnificent.
Imagine a beautiful world where the rules of CCPA were final and crystal clear, with the industry then having six to 12 months to build and publish well-thought-out compliance programs. This would benefit the industry and consumers, while also accomplishing the goals of the law.
Alas, one can only dream of such sanity.
Follow Gary Kibel (@GaryKibel), Davis & Gilbert LLP (@dglaw) and AdExchanger (@adexchanger) on Twitter.
