California’s new Consumer Privacy Act could lead to an invasion of your privacy

When the sweeping California Consumer Privacy Act was rushed through the Legislature in less than a week last fall, lawmakers and officials basically said: “Don’t worry. We know it has problems, but we have more than a year to fix them before it goes into effect.”

When Attorney General Xavier Becerra held a series of rulemaking forums focused on the privacy act across the state earlier this year, legal experts and business leaders testified to those problems. 

In particular, they warned, the law’s overly broad definition of personal information could hurt Californians’ privacy, rather than protecting it, by forcing businesses to connect non-identifiable data, such as information tied to cookies or device IDs, to users’ real names or identities.

Once again, we were told, “Don’t worry. We have the entire legislative session to fix it.”

Now, with a week left in the session, businesses around the world are scrambling to meet their compliance requirements, and many of those same official voices are saying, “Don’t worry. It’s not going to be enforced until July, so we can fix it next year.”

They are wrong. 

Next year is too late. If the Legislature waits any longer, California will have lost its best chance to defuse this issue before it causes severe and simultaneous damage to consumer privacy and California’s competitiveness. 

Unlike the Legislature, businesses cannot wait until the last minute before making major policy changes. Such changes require costly and time-consuming overhauls of their technical systems to ensure compliance. 

Tens of thousands of lawyers, software engineers, system architects, and data experts are already working on dedicated teams at companies around the world to implement the changes mandated by the California Consumer Privacy Act.

If the law is not fixed before the legislative session ends, those companies will move forward with structural changes to their systems to comply with the language as written. 

Many will determine they must combine the non-identifiable cookie-related data they have with the real names and identities of those users, so they are not in violation of the access request requirements when the law takes effect, regardless of when enforcement begins.

Ignoring the steam whistle of that accelerating compliance locomotive, one California news organization claimed in a recent editorial that the Legislature’s failure to fix the law is a good thing because the law already “gives companies room to fix the missteps they will inevitably make” by correcting “violations within 30 days without penalty.”

Editorial writers who express such optimism might want to ask their technology counterparts whether a major non-compliant data system at their paper could be redesigned, reengineered, reprogrammed, and relaunched in less than a month.

Apologists for the law also note that businesses could turn to the attorney general’s office for guidance about the regulations. But no corporate lawyer would allow their company to disregard the requirements of a new law in hopes that the Attorney General would somehow modify its language or choose not to enforce it.

Put simply, the law is the law. Once it takes effect, businesses will take the steps they believe are necessary to comply with it.

That means the privacy of millions of Californians will suffer, as companies break down the walls between non-identifiable data and the names or identities of those users, so they can comply with the terms of the California Consumer Privacy Act.

The Legislature can still fix this issue and others before the die is cast and fundamental changes are made. We urge that lawmakers not to let this opportunity slip away.

—

Dan Jaffe is group executive vice president for the Association of National Advertisers, djaffe@ana.net. He wrote this commentary for CalMatters. To read his previous commentary for CalMatters, please click here.