The Expert's View with Suparna Goswami

CCPA , Governance & Risk Management , Privacy

Analysis: The Ambiguities in CCPA

Three Key Areas That Need Clarification
Analysis: The Ambiguities in CCPA

With the California Consumer Privacy Act set to go into effect Jan. 1, 2020, companies are making last-minute compliance preparations.

See Also: 5 Requirements for Modern DLP

But these preparations are challenging because the final version of regulations proposed by California Attorney General Xavier Becerra to carry out the new law, which could clarify a number of ambiguities, are still pending and won't be published until next spring. And the law will not be enforced until July 1, 2020.

The proposed regulations by the attorney general don't adequately clarify the ambiguities, some security experts say.

Here are three examples of ambiguities in the law.

Opting Out of Data Sale

CCPA requires companies that sell consumers' personally identifiable information to post a notice on how consumers can select a "Do Not Sell" option.

But the law's definition of "sell" is very broad, making it unclear who has to comply with this provision, some regulatory experts say.

CCPA defines "sell" as "selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information to another business or a third party for monetary or other valuable consideration."

Because this definition is so broad, many websites and advertising technology companies reportedly are uncertain whether they must offer consumers the "do not sell" option.

For example, it's not clear whether placement of a third-party cookie on a website to enable advertising falls within the scope of the CCPA's definition of the selling of data.

Given the ambiguities, "a lot of companies out there are in a 'wait and watch' mode," says Caitlin Fennessy, research director with International Association of Privacy Professionals. "Small and mid-sized companies are waiting for the big companies to design vendor contracts."

'Reasonable' Security Practices

Another area of ambiguity in CCPA is the definition of "reasonable security practices."

CCPA states that statutory damages of $100 to $750 per incident can be awarded to consumers whose personal information has been compromised by a breach of personal information resulting from a business's "violation of the duty to implement reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."

But what constitutes a reasonable security practice is not totally clear, some observers say. Some experts believe, however, that those enforcing CCPA will take into account standard industry security practices, much as the Federal Trade Commission does in its enforcement efforts.

July 1 Enforcement

With CCPA going into effect Jan. 1, 2020, but enforcement not slated to begin until July 1, 2020, what happens if a company is breached next year before enforcement begins?

The attorney general has not yet made it clear whether a company could get penalized under any circumstances if it is found to have violated CCPA requirements before the enforcement begins.

Some legal experts predict, however, that the courts would not uphold penalties for violations before the enforcement date.

About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.