Companies wrestle with California’s incoming data privacy laws in US

There’s another year to go until the California Consumer Protection Act (CCPA) comes into being, but businesses, government bodies and other institutions will be using 2019 to ready themselves for the new law, which was passed in less than a week last summer.

The creator of the CCPA, the California attorney general’s office, conducted hearings last month to listen to views on the new legislation that will continue to be held throughout the west coast state’s cities over February.

The Association of National Advertisers (ANA) and the Interactive Advertising Bureau are two trade groups to have given their views on how they feel the new laws may disrupt business continuity. The pair are also encouraging legislators to think about amending terms, bringing more clarity in certain areas, or making more exemptions.

Speaking on behalf of the ANA, Dan Jaffe said that in its current state, the CCPA could force some brands’ bonus schemes into dangerous waters, as it could prove difficult to issue equal incentives to those who choose to consent, or refuse to consent, to data sharing.

Companies would have to formulate “massive data pools” dedicated to honouring consumer personal information request, and that these could at the same time become a big attraction to hacking, Jaffe said.

“It’s just like talking about the fundamental piece of the body and acting like you can just discuss it and change it dramatically without talking about the others,” he said.

Research conducted into varying formats of compliance, by law firm Baker McKenzie, finds that 68% of businesses in tech, media and telecommunications claim to have had compliance breaches revealed by a regulator, which is more than any other sector, Baker McKenzie says.

However, compliance need not prevent a firm from growing. Co-chair of the law firm’s global compliance and investigations arm, William Devaney, explained that linking compliance through a company can promote expansion because it promotes communications and funding across all departmental levels.

“The manager at every level of an organisation have it ingrained in them that the company is going to behave in a compliant manner,” Devaney said.

The issue doesn’t just concern big technology firms either. CEO of The Nonprofit Alliance, Shannon McCracken, said:

“Nonprofits use data to reach beneficiaries, to figure out how to most benefit programs, to figure out where the need is greatest, and to measure our impact in the world.”

Senior staff attorney at EFF, Adam Schwartz, said:

“The consumer has no idea who these companies are, and if they want to know, there is no way to find out until you have the registry of data brokers.”

Businesses in the US should not take that as an excuse to do nothing about compliance processes until 2020, when the CCPA comes into being, however. Furthermore, meeting the standards of the EU’s GDPR also does not equate to satisfying the demands of the new Californian legislation.

Professor Jeff Sovern states that firms will have to update their websites by January 1st 2019 to enable consumers to decide whether or not to grant their consent to their data being collected. He also said that consumers will be able to request access to data reaching back over a year.

Should Congress choose to pass its own privacy law this year, all this debate may have little relevance. Senator Marco Rubio has brought in new laws that would forestall state law, but other legislators will bring in their own bills in the spring, it is anticipated.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.