You are here

You are here

CCPA, California’s GDPR, confuses and confounds

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings Industry analyst and editor, RJAssociates
 

The California Consumer Privacy Act (CCPA) came into force yesterday. Are you ready?

Thought not. The lawmaking and subsequent rulemaking seem to have been rushed, leading to ambiguity and confusion.

Happy new year, citizens. In this week’s Security Blogwatch, we eyeroll at Sacramento.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: tabs or spaces?

Because privacy

What’s the craic? Sam Dean and Suhauna Hussain report—California is rewriting the rules of the internet:

Most businesses with a website and customers in California … must follow the new rules, which are supposed to make online life more transparent and less creepy. … The only problem: Nobody’s sure how the new rules work.

Thanks to the technical complexity of the system and the rushed timeline for implementation, a number of basic questions remain unanswered. … The attorney general’s office, which is tasked with both interpreting and enforcing the law, only published its first round of draft regulations in early October. [AG] Xavier Becerra declined to provide specifics on his agency’s plans to enforce the law.

A 2019 report commissioned by the [AG’s] office estimated that getting in compliance with the law could cost the companies affected $55 billion upfront, with the potential for an additional $16 billion over the next decade. … The most wide-ranging effects of the new law fall on the online ad economy and the businesses … that rely on it … including tech giants such as Facebook and Google and media companies.

But what does it all mean? Natasha Singer says Nobody Agrees:

Millions of people in California are now seeing notices on many of the apps and websites they use: “Do Not Sell My Personal Information.” … But what those messages mean depends on which company you ask.

Many of the new requirements are so novel that some companies disagree about how to comply. … The issue of selling consumer data is so fraught that many companies are unwilling to discuss it publicly.

The wide variation in companies’ data-disclosure practices may not last. California’s attorney general said the law clearly requires companies to show consumers the personal data that has been compiled about them.

And Nandita Bose has retailers rush to comply:

The California Consumer Privacy Act (CCPA) … becomes effective at the start of 2020 and is one of the most significant regulations overseeing the data collection practices of U.S. companies. It lets shoppers opt out of allowing retailers and other companies to sell personal data to third parties.

[It] is likely to overhaul the way companies benefit from the use of personal information. [It] follows Europe’s controversial General Data Protection Regulation, which … gave companies years to comply while CCPA has given them a few months.

The California Attorney General recently [said it] will look kindly on those that demonstrate an effort to comply. But sources [say] they expect plaintiff attorneys to bring lawsuits in the new year against a range of businesses that may fail to meet the law’s requirements.

What to do? Kristina Podnar looks at the bigger picture—How to Survive the Coming Data Privacy Tsunami:

Just as we became used to the idea that the … GDPR is a fact of life and made modifications in our data collection procedures, the Brazil General Data Protection Law (LGDP), the … CCPA, and waves of other proposed new data privacy laws are forecasting a privacy tsunami heading our way. … Although you will need to pay attention to the details of individual data regulations as they arise, all the privacy regulations share a number of commonalities.

Data privacy requirements are intended to motivate organizations to self-manage their data in a way that respects end users. [You should] mandate that data privacy become part of the policy program. … Clearly document roles, responsibilities, and reporting lines to embed privacy compliance.

Gone are the days of legalese or simply taking data from users because we can. Data privacy regulations require transparency, user awareness, and forthright behavior. [You should] treat privacy as a core design principle.

After years of collecting as much data as we could, we are starting to realize that all that data has an evil twin: risk. In addition, consumers have become more aware that their data is a valuable resource, and they're asking more questions about how it's used and who has access to it.

[Full disclosure: Your humble blogwatcher edited Kristina’s recent book.]

Give me liberty, or …? jwymanm sounds frustrated:

Governments need to stay out of this. … All this is going to do in the end is employ even more lawyers.

This ends up just destroying anyone smaller. The loss in freedom of the web and having even more **** to click NO or YES combined with the absolute mess it is to do any kind of business … is worse than the original offense.

Like in many laws, the fix is worse than the fault.

And ailideex hopes for fewer unintended consequences:

I'm not confident that this is a good thing after the mess that resulted me in having to navigate dozens of cookie popups on most days.

But Humbubba wants more government, not less:

If we in the US are to have privacy for real, we must start with a constitutional, enforceable right for the protection of personal data. … The problem is that data is the "new oil".

Surveillance and AI are making some entrepreneurs very rich, and turning the whole world into surveillance states. But it's even worse than that. By turning us into products to be sold, we have been stripped of whatever it is that was supposed to make humans unique.

Still, all these updated privacy policies are a good thing, right? Right??? Jeff Kosseff—@jkosseff—despairs:

States should be out of the data protection business altogether. This is inherently a federal issue. … California certainly has not made a persuasive case for giving states the power to regulate data protection.

If one of the goals of CCPA was to provide customers with meaningful transparency about data collection and use, it has not yet done so, at least based on the dozens of updated privacy policies that I've reviewed this week.

The policies generally repeat CCPA's list of about 10 categories of personal information, and use the same list of examples from the statute. As I read the disclosures, I have no better understanding of the types of data companies actually collect and what they do with the data.

Of course, CCPA is not just about transparency, as it provides access, deletion, and sales opt-out rights. But the CCPA's privacy policy requirement does not seem to be terribly helpful.

Meanwhile, go heed gojomo:

Which will win the crown for destroying more Californian livelihoods & wasting more citizen time in 2020, CCPA or AB5? (AB5 is the [law] whose intended targets … may escape its application, while … freelancers have their traditional contract work patterns made illegal.)

The moral of the story?

You’re probably subject to CCPA, so what are you waiting for?

And finally

Tabs or spaces?

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Renee Mortensen (cc:by-nd)

Keep learning