Historic California data privacy measure leaves companies scrambling

California will become the first state in the country to have a comprehensive data privacy law on Wednesday when the California Consumer Privacy Act (CCPA) goes into effect.

Companies are scrambling to figure out how to handle the law, which is expected to require major firms to disclose the personal information they collect from consumers and what they do with it.

Much about the law, which will not be enforceable until either July 1 or six months after the final rule is released, remains unclear.

California Gov. Gavin Newsom signed the bill into law in June 2018, but California Attorney General Xavier Becerra only just published the first round of draft regulations in early October. His office closed the public comment period on Dec. 6, and the final version of the regulations is due out soon.

The bill is expected to allow Californians to view the information that companies have collected about them, and to opt out of that collection. The law is expected to forbid companies from discriminating against users who opt out of data collection.

While the law is not enforceable for now, California has hinted that companies could be sanctioned retroactively if they disregard the new rules on Jan. 1.

A spokesperson for Becerra told The Hill that qualifying companies “should be prepared to adhere to the law as of January 1,” suggesting that retroactive enforcement may be possible.

“While we can’t take action until six months after finalizing our rules, or July 1 — whichever comes first — we can consider a business’s efforts to comply with the law from January 1, onwards,” the spokesperson said.

The CCPA technically applies to businesses with online traffic in California that have annual revenues over $25 million, collect data on 50,000 consumers or receive 50 percent of their revenue from selling data, according to the draft regulation.

But even though it’s a state law, the California rules will have ramifications across the United States.

Since most businesses have web traffic in California, most major online companies will have to adhere to the requirements or risk enforcement action from Becerra’s office. Some companies, like Microsoft and Mozilla, have said they will extend changes made to comply with CCPA to all users.

Facebook has said the tools it has developed to allow users to access and delete their data will be available regardless of geographic location.

Apple, Google and Twitter have also all introduced tools letting users view and download data collected about them.

Yet the response beyond that from U.S. companies has been inconsistent.

“There’s been wide variation in what’s out there,” David Stauss, a partner at Husch Blackwell who assists companies with compliance, told The Hill.

Some experts are recommending businesses avoid extending protections to non-California residents to avoid unnecessary liability.

“Our recommendation, and I think the prevailing wisdom, has been to only extend privacy rights to the people who have those,” said Stauss, who warned of possible lawsuits.

“In California if you don’t respond to a request to delete or a request to know adequately the enforcement mechanism is the attorney general’s office, but if you’ve voluntarily extended those rights to somebody outside California what’s to say you can’t be sued for consumer fraud?”

California’s first in the nation regulations comes amid a broad push from several different levels of government to create data privacy legislation.

Congress has been locked in bipartisan negotiations to develop a federal privacy statute for months, but major sticking points have kept a bill from getting to the floor.

Republicans in both the House and Senate have insisted that they will not support a privacy law unless it preempts state legislation like California’s.

Democrats have made including a private right of action — allowing individuals to sue companies for data misuse — a must in any bill. The CCPA is expected to include a very narrow private right of action after an attempt to expand it fell short in the California Senate.

A draft of federal privacy legislation shared with stakeholders and obtained by The Hill last month punted on both of those divisive questions, suggesting that the wait for Congress to lead on the issue may continue.

The CCPA will go into effect over a year after Europe’s landmark privacy law, the General Data Protection Regulation (GDPR), which set transparency standards for companies handling personal data, required sites to minimize the amount of information they collect and gave users more control over their own data.

While companies have been complying with that law, and some like Microsoft have complied with it globally, it is not clear yet how much the two rules will have in common, potentially creating headaches for companies operating in both markets.

“When the CCPA first came out, there was a lot of thought that if you’ve done GDPR you’re already 80 percent of the way there,” Stauss told The Hill. “I don’t know that that’s ultimately come to pass… it’s just vastly different than GDPR” when it comes to privacy policies.

With federal legislation remains tied up, other states may follow California’s lead.

Maine and Nevada have already passed narrower internet privacy laws, and nearly a dozen other states have considered data legislation already.

Among those states are Massachusetts, New York, Oregon and Illinois. The potential for a patchwork system of privacy laws has left many companies unsure about whether to adhere directly to CCPA or develop broader, more flexible data management regimes.

Adding to the data privacy law morass, California may pass additional rules in 2020.

The group behind the ballot measure that originally resulted in the CCPA are reportedly planning another ballot measure which could create an independent agency to enforce data privacy rules and an opt-in system for internet users under 16, a proposition backed by Sen. Dianne Feinstein (D-Calif.).

“I think the fairest way is opt-in,” Feinstein told reporters in December, saying that opt-out systems help businesses profit on unknowing customers.

While California has beat the federal government and other states to the punch on data privacy laws, the CCPA is likely to be the first in a flurry of regulations as consumers grow more concerned about the conduct of the biggest online platforms.

“This is the start not the end,” Stauss said. “We’re going to see a ton of states looking at this issue, I think we’ll see some states really try to get it across the finish line this year now that the California statute is fully baked.” 

“Buckle up — it’s going to be a wild ride for the next probably 3 to 5 years until we get some sort of normalcy in this area.”