October 18, 2018 - In short, the California Consumer Privacy Act (CCPA) will change the way online businesses do business. The law, which goes into full effect in 2020, will give consumers control over how companies use their information; inclusive of sharing it with outside parties. And it also provides consumers with a right of private enforcement - meaning that individual consumers will be able to sue companies that violate the law. Unfortunately, CCPA may also be the final impetus for congress to enact a national privacy law that would preempt it along with privacy laws in other states.
The CCPA's biggest issue is probably the companies that will be hurt the most by it. Companies like Google and Facebook that sell tremendous amounts of online advertising and which collect huge amounts of consumer data. That data is valuable, but for it to have value these companies need to be able to sell it in some form. And that's where CCPA comes in.
Under CCPA, the companies collecting data on California consumers would have to give those consumers nearly complete control over how their data is used. That's a real problem for a company that sells data for ad targeting. To give you an example of how their business models work, just think of a product that you've searched for online. All of a sudden you might see ads for that product popping up wherever you go on the internet. CCPA may make that impossible.
The results of that would be that online advertising space could lose much of its value. That means a revenue reduction for the companies selling advertising; both from the reduced value of their own ad inventory and from their inability to sell targeting data to third parties. Not surprisingly, the companies that would be hurt the most aren't taking the threat lying down.
Instead, they are pumping time and money into lobbying efforts in Washington, DC. And those efforts may be paying off for them. Congress has been holding hearings on what a national privacy law might look like. Although they have been hearing from privacy advocates about the pitfalls of preempting stronger state laws, those arguments are likely falling on deaf ears.
Ever since California implemented the nation's first data breach notification law, companies have been making the argument that a national standard is needed because it is too difficult to comply with 50 different state laws. That California law forced companies to start making data breach notifications nationally, even in states that didn't have such a law. That's because 10% of the country's population lives in California.
That same argument is being used with regard to CCPA; that it will be too difficult to deal with differing state standards for online privacy so a national standard is needed. In this case, congress is much more likely to buy into that argument because of the money involved. And clearly, even though the law says that it only impacts California residents, it will impact interstate commerce too.
ACCESS has been arguing against a national standard for data breach notification for years because every proposal we've seen would weaken consumer protection. We really expect the same thing to happen here. But California may have pushed all of the wrong buttons with CCPA. And that could come back to hurt us all.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
|