Analysis: The Ambiguities in CCPAThree Key Areas That Need Clarification
With the California Consumer Privacy Act set to go into effect Jan. 1, 2020, companies are making last-minute compliance preparations.
But these preparations are challenging because the final version of regulations proposed by California Attorney General Xavier Becerra to carry out the new law, which could clarify a number of ambiguities, are still pending and won't be published until next spring. And the law will not be enforced until July 1, 2020.
Many websites and advertising technology companies reportedly are uncertain whether they must offer consumers the "do not sell" option. For example, it's not clear whether placement of a third-party cookie on a website to enable advertising falls within the scope of the CCPA's definition of the selling of data.
The proposed regulations by the attorney general don't adequately clarify the ambiguities, some security experts say.
Here are three examples of ambiguities in the law.
Opting Out of Data Sale
CCPA requires companies that sell consumers' personally identifiable information to post a notice on how consumers can select a "Do Not Sell" option.
But the law's definition of "sell" is very broad, making it unclear who has to comply with this provision, some regulatory experts say.
CCPA defines "sell" as "selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information to another business or a third party for monetary or other valuable consideration."
Because this definition is so broad, many websites and advertising technology companies reportedly are uncertain whether they must offer consumers the "do not sell" option.
For example, it's not clear whether placement of a third-party cookie on a website to enable advertising falls within the scope of the CCPA's definition of the selling of data.
Given the ambiguities, "a lot of companies out there are in a 'wait and watch' mode," says Caitlin Fennessy, research director with International Association of Privacy Professionals. "Small and mid-sized companies are waiting for the big companies to design vendor contracts."
'Reasonable' Security Practices
Another area of ambiguity in CCPA is the definition of "reasonable security practices."
CCPA states that statutory damages of $100 to $750 per incident can be awarded to consumers whose personal information has been compromised by a breach of personal information resulting from a business's "violation of the duty to implement reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."
But what constitutes a reasonable security practice is not totally clear, some observers say. Some experts believe, however, that those enforcing CCPA will take into account standard industry security practices, much as the Federal Trade Commission does in its enforcement efforts.
July 1 Enforcement
With CCPA going into effect Jan. 1, 2020, but enforcement not slated to begin until July 1, 2020, what happens if a company is breached next year before enforcement begins?
The attorney general has not yet made it clear whether a company could get penalized under any circumstances if it is found to have violated CCPA requirements before the enforcement begins.
Some legal experts predict, however, that the courts would not uphold penalties for violations before the enforcement date.