With two years to prepare for GDPR, most sites crawled over the compliance finish line while many were left inaccessible for months beyond the deadline.[1] The California Consumer Privacy Act is next.
Of course I can't start this post without a disclaimer. Nothing here should be considered legal advice. I'm not a lawyer nor do I come close. I am a planner and web strategist, so considerations like these are at the top of my mind and may be something you should consider too.
The California Consumer Privacy Act (CCPA) takes effect Jan. 1, 2020 and will have a meaningful and sweeping impact on the way personal information is handled on the web. Companies that gather and monetize customer data using the web – this means you. As of Jan. 1, 2020, a CA resident will have the legal right to request if and how companies are handling their information, who has purchased it and why. That company has 45 days to reply with a report that details why and how they are using the information and who they may have shared it with over the last 12 months (yes – that means this has immediate impact).[2]
Additionally, this grants these consumers the right to opt out of the sale of that information, request it to be deleted, and to access it in specific ways. While the focus is on California residents, this precedent will effectively apply to the entire U.S. as data collection and web functionality rarely differs by state. Consider this along with the fact that CA often acts as a catalyst for legal change, and the impetus is stronger.
For this legislation, "personal information" is broad and includes the following (plus inferences made using these as well)[3]
- Personal identifiers (name, address, SSN, IP address, email, etc)
- Property records
- Employment history
- Biometric data
- Browsing history
- Geolocation data
- Audio, visual, thermal, olfactory or similar information including facial recognition
- Psychometric data
This will of course have impacts on the big players like Google, Facebook and Twitter who generate revenue from targeted ads, but also an even bigger impact on data brokers like Experian, Spokeo, and Acxiom. Then there's the potential implications (especially with other legislation on the horizon) for cable and internet companies who collect and sell information about the browsing and viewing habits of their customers. While much of this legislation came on the heels of major data breaches from the industry giants (ahem, Facebook), the impact is far reaching.
So what does this mean? It's almost certainly lots of updated privacy policies or CA-specific privacy pages. One statute stipulates the need to add a link on the business's homepage titled, "Do Not Sell My Personal Information" that facilitates an opt-out. If you're selling that information to a third party, you'll likely need to give the person explicit notice and an opportunity to opt out.
There is plenty more.
The Interactive Advertising Bureau recently put together a super helpful CCPA Roadmap document that I recommend reading whether or not you play in the digital advertising space. Beyond that, read through the legislation itself.
While this has more significant impacts on sites in the media and marketing space, it's hard to think of a site that doesn't ask for your email address. Personally, I can't think of many clients over the last ten years or more who HAVEN'T brought up requests for geolocation or personalization when talking about what they want on their websites. Our focus for clients is to make sure they're aware of this legislation, to encourage them to discuss it with their legal teams, and to work with them to incorporate potential changes into future site iterations.
Footnotes
http://www.niemanlab.org/2018/08/more-than-1000-u-s-news-sites-are-still-unavailable-in-europe-two-months-after-gdpr-took-effect/ ↩︎
https://medium.com/pcmag-access/are-you-ready-for-the-california-consumer-privacy-act-d74b9c7f3ec4 ↩︎
https://internetofbusiness.com/california-passes-landmark-data-privacy-act/ ↩︎