According to the International Association of Privacy Professionals (IAPP), “state-level momentum for comprehensive privacy bills is at an all-time high.” As of June 2019, they listed 19 state-level bills and statutes, each with a unique combination of consumer rights and business obligations addressed.
To understand where we are with amending CCPA now and what is happening at the federal level, we interviewed Dan Jaffe, Group Executive Vice President, Government Relations for the ANA, whose team, in conjunction with others in the ad community, was responsible for introducing the CCPA amendments that recently passed. Our interviewers are LiveRamp’s Albert Wang, Product Marketing Lead, Consent Management, and Audrey Luk, Content Strategist.
Listen to the podcast below or read an excerpt of our conversation.
Audrey: Is a federal-level regulation that could preempt CCPA possible? If so, what needs to happen for that to occur?
Dan: We believe that there is a need for federal legislation in the privacy area. It’s a critically important step, both for the advertising community and the public at-large, on the appropriate way to deal with data, and we are very active in this effort. We have created the Privacy for America Coalition, which includes our association, along with the American Association of Advertising Agencies, the IAB, the 4A’s, the NAI, the DAA, and a number of other companies, to try to develop detailed language that would cover this.
People should not have their privacy rights be dependent on where they are. Right now, not only is there the CCPA, but also Nevada has recently passed legislation in this area, a “CCPA-light” bill, and Maine has passed legislation affecting ISPs. Many other states have been considering privacy legislation. We believe this can create a real regulatory nightmare for advertisers and balkanize the marketplace, and it does not make any sense because geography is not the issue—the internet does not depend on geographic location. So, getting a law that makes sense across the board is absolutely critical in making sure there’s a level playing field as well.
Albert: Just to expand on that, what would that federal-level regulation look like? What are some of the stipulations, and how might it be different than the CCPA?
Dan: The federal legislation we are trying to develop would do three things. It would break data use into three categories. First, inappropriate use of data would be one category. There would be a second category which would delineate what are appropriate uses of data. And then there would be a third residual category that was neither purely a violation nor appropriate per se, and we would allow the FTC to define the treatment of that category, by either guidelines or rule-making.
In regard to the first category, these would include the kinds of things we already know are of concern, such as using health or financial information inappropriately or being discriminatory in the use of data. A wide range of per se violative characteristics would be spelled out. This would not put the onus on the consumer, which is the case right now under the CCPA, as well as the GDPR, of having to decide on a case-by-case basis whether they want to opt in or out of allowing data collection and knowing how their data is used. They could be educated on making these decisions in a more reasoned and balanced way.
Audrey: In light of what you just laid out, what are some of the current issues you see with the CCPA?
Dan: The CCPA was passed in a week with virtually no hearings, and we think it’s very important to improve on it. We were successful in getting about 12 amendments to the CCPA through the California Assembly. What’s not clear yet is whether this will get through the Senate gauntlet in California.
If it does not, then starting on January 1, 2020, companies will face very immediate and significant restrictions. That’s a signal that every company needs to be getting themselves ready right now to be able to respond to the demands of the CCPA. The 12-month look-back provision of CCPA appears to mean that all personal information collected by companies in 2019 on California consumers falls under the purview of the CCPA. When a California consumer asks for all of the data that has been collected on them, companies are immediately required to provide that information within 45 days, free of charge. If companies are not ready to do that on January 1, 2020, they may be in serious jeopardy.
Beyond that, the CCPA has a private right-of-action provision for breaches. So, if there’s a breach starting on January 1, 2020, companies can be sued for enormous amounts of money.
It is absolutely critical that companies take this very seriously and get ready. They cannot assume that we’re going to get federal legislation. We’re moving as fast as we can, but we’re in a complex political situation now where Congress is divided; there’s a tremendous amount of friction there that I think everybody is fully aware of. So moving any major legislation through is hard, and certainly any complicated legislation like privacy is even harder.
We still think there is a chance to do it, and we’re making every effort, but people can’t count on that. They have to be working on preparing for CCPA full-time, as well as getting prepared to respond to the various legislative proposals that will be in place.
One other thing I should say is that we have been able to defeat one important amendment. It’s not just putting things in but making sure that things are not added on by the various legislators that will make the law worse. One of the big victories we had was an effort by California legislators to try to make private right-of-action imposed across the board for the CCPA other than just for data breaches, and we were able to avoid that.
The three triggers for coverage of companies under this law are a $25 million gross receipts requirement. Those gross receipts do not have to be for business in California. They can be anywhere, as long as you’ve had even just one transaction in California. You can have $25 million of gross receipts, which is different than having net receipts, and still be covered.
It also would sweep you in if you have collected 50,000 pieces of personal information that you have provided. The definitions of personal information are extraordinarily broad, and therefore will sweep in many companies.
And finally, it says that if half of your income comes from sales that the CCPA pertains to you. Sales are defined in a very peculiar way under the CCPA because it covers not only those things we normally think of as a sale, where money changes hands, but even if you just provide data from one company to another, that can also be treated as a sale. So, I think a lot of companies are going to be surprised to find that they’re covered under this law when they didn’t expect to be.
Albert: Thanks so much for your efforts in protecting innovation in the industry. You mentioned earlier of all the work that you’re doing in Washington. What’s a good way for marketers to get involved and support you?
Dan: First, I think it is extremely important that companies share the major concerns they are uncovering as they prepare to respond to the CCPA, to the Nevada legislation, and other proposals that are out there. Having specifics that we can talk to legislators about is useful for those like myself who lobby at the state and federal level.
It would also be useful to connect with the right people within companies so we can ask them questions and get information when we need it. Certainly, it would be incredible if companies are willing to step forward and help us lobby on proposals that would aid the improvement of the CCPA and other bills.
Albert: Great. So, in the time frame between the CCPA and a potential federally preemptive law, what are some things companies should be thinking about and how should they be proceeding forward?
Dan: They should be getting their lawyers to look closely at the CCPA as it exists now and what it will require to be responsive. As I mentioned, one of the major requirements of the CCPA is to be able to respond to any California consumer who requests data about themselves, and be able to provide that data within 45 days free of charge. That will require people to do a survey within their own companies of how they collect and store data, and how they would then be able to produce it and make sure that they’re giving it to the right people, because you certainly don’t want it going to the wrong people.
Different groups within the industry will have to deal with this issue in different ways. Third parties under the law have to be able to get some clearance from consumers to be able to use any data. For many third parties, this will be difficult because they don’t have direct relations with consumers. We’re trying to get one of our proposals to state that third parties can rely on attestations of first parties that the consumer has agreed to the use of their data, and that the third party can then rely on that. Again, not a resolved issue under the CCPA.
And on top of this, once we get all the legislation resolved one way or another, which should be early in September, there is a rule-making required under the CCPA where the Attorney General of California is supposed to figure out how to resolve all of the various ambiguities in the law. So, we’ll certainly need companies to share what problems they see in understanding the law, so when we talk to the Attorney General, we can make sure he and his staff are fully apprised of problem areas and pain-points that could be cleared up by this rule-making effort.
Albert: What are the best ways for companies or any groups working on CCPA compliance to reach out to you and the ANA?
Dan: They can reach out by calling our office, which is 202-296-1883, and asking for me, or we have a number of other staff here who can respond. Or they can email me at DJaffe@ANA.net.
Audrey: Thanks so much, Dan. Look forward to your inbox blowing up.
Dan: In this instance, it will be a pleasure.