The bad news: Lawyers and chief privacy officers think it’s “impossible” to fully comply with certain aspects of the California Consumer Privacy Act (CCPA).
The good news: Everyone’s pretty much in the same boat, and the California attorney general’s office (probably) isn’t looking to put companies that do their due diligence out of business, said D. Reed Freeman, co-chair of the cybersecurity and privacy practice group at WilmerHale.
“What we have is a Byzantine, incomprehensible, incomplete law – but I like to think practically about this,” Freeman said at an International Association of Privacy Professionals event in New York City on Thursday.
Attorneys general usually have their eye on a run for Senate, the governorship or even president, and they make their name with cases that are comprehensible to the voting public.
“He [California AG Xavier Becerra] is going to select for investigation those cases likely to yield press releases against companies that are well known or for big messes that voters understand,” Freeman said.
But making a good faith effort at compliance is harder than it sounds. Under CCPA, consumers have the right to access their personal information, delete it and opt out of its sale. Actually operationalizing those rights is extremely complex and requires a not-insignificant amount of engineering resources.
Hustling for a solution
The Interactive Advertising Bureau and the IAB Tech Lab are developing a CCPA compliance framework that includes a proposal for standardized publisher/partner contracts, as well as several technical specs to put those contracts into practice. A comment period on the draft framework ended on Tuesday.
And the Digital Advertising Alliance is creating a CCPA icon modeled off the AdChoices icon that consumers could click on within an ad in order to opt out.
It’s not 100% guaranteed that either will be finished when the law goes into effect next January.
Noga Rosenthal, chief privacy officer and general counsel at Ampersand, said she’s “hopeful” about the IAB/IAB Tech Lab’s effort, because it relies on many of the same mechanisms that are being used to power the Transparency and Consent Framework for GDPR compliance.
But what’s a company to do in the meantime?
Do what you can
The first step is to undertake an intense data-mapping process, which is fundamental to being able to comply with CCPA or any privacy law, said Cindy Van Ort, chief privacy officer at Thomson Reuters.
You can’t delete someone’s data, for example, or allow them to opt out of its collection or sale unless you know where to actually find the data in your backend systems.
It helps to think of data assets as if they were currency, Van Ort said. “If those were $100 bills, you would know exactly what you have and where it’s going,” she said.
Companies will also need to keep copious records about how they deal with access and deletion requests; they’ll need a process for verifying and authenticating those requests; they’ll probably need a way to segregate Californian data (unless they just want to treat all of their customers as if they’re California residents); and they’ll have to place a “clear and conspicuous” “Do Not Sell My Info” button prominently on every page of their website.
But what exactly does “clear and conspicuous” mean? There’s some guidance on that – the button or link should be visible, accessible and readable even on small screens. “In other words, no funny business,” Freeman said. But neither the act itself nor the AG’s draft implementation regs share any tips about where to place the button on a page.
“I don’t think anyone wants to have it at the very top of their page in red,” Freeman said.
And so it’s likely that most companies will end up stowing the button somewhere in the footer and subtly highlight it in some way so that it’s differentiated from the regular terms of service.
“We’ll see what the AG thinks about that,” Freeman said. “If everyone does it and lighting strikes you in the head, well … sorry.”
Because full compliance is an impossibility, that’s really the goal right now – for businesses not to get struck by lightning.
“There’s too much to do before this takes effect,” Freeman said. “Do the best you can, and keep yourselves below the radar.”