Here’s a bit of California Consumer Protection Act (CCPA) trivia for you: The word “homepage” doesn’t mean what you think it means.
Beginning Jan. 1, 2020, businesses covered by the CCPA must prominently display a “Do Not Sell My Personal Information” button on their homepages.
But under the law, a homepage is more than just a site’s introductory page – it’s also defined as “any internet web page where personal information is collected.”
The language implies that publishers and advertisers will have to show the opt-out button to California residents who haven’t yet opted out every time they visit a site and on nearly every page – because what web pages don’t include some form of data collection, from widgets to ads and third-party trackers?
Even if someone doesn’t opt out the first time, eventually they’ll probably click that button, said Bob Perkins, COO of BritePool, during a breakfast event his company sponsored on Wednesday. The identity solutions startup helps publishers keep people from opting out of data collection by providing incentives and data control mechanisms.
In meetings with prospective clients over the past few months, Perkins would suggest that more than 50% of people are likely to opt out of data collection once the law goes into effect. His interlocutors often reacted with, “that’s too high, you’re just trying to scare us,” Perkins said.
But according to a survey released Wednesday of 1,000 American consumers, not all from California, conducted on behalf of BritePool by the USC Annenberg Center for Public Relations, 87% said they would hit the “Do Not Sell” button if they saw it.
The proof will be in the pudding on Jan. 1. There’s usually a wide gulf between what people say they’ll do and what they actually end up doing. When was the last time you clicked on an AdChoices icon?
Then again, it’s smart for businesses to prepare themselves for an initial spike in opt-outs, said Jessica Lee, a partner at Loeb & Loeb and co-chair of the firm’s privacy, security and data innovations practice, speaking at the BritePool event.
“Similar to before GDPR, there has been a lot of press about CCPA, especially in California,” she said.
Businesses shouldn’t expect much more new information before the CCPA effective date beyond the practical guidance provided as part of the California attorney general’s implementation regs.
The first version of the AG’s regs, which should be published sometime in the coming weeks, will offer direction on what the opt-out button should look like, for example, and procedures for how consumers can submit data access requests.
But gray areas in the law, such as the definition of “sale” or the difference between how the law defines a service provider and a third-party entity, will probably remain gray.
CCPA will be similar to the GDPR in that clarifications to the law will likely come in the form of enforcement actions.
“The goal is to just not be that company who is on the front lines, to not be the first target for enforcement,” Lee said.