This time it's California, not the eastern bloc, making trouble for the Internet. Europe wrote the GDPR to apply outside its borders. Now California will require the EU to add “do-not-sell-my-data” buttons to sites and services.
I’ve written before about the CCPA (California Consumer Privacy Act) which is set to become law in a few months. For those that need a refresher, the law gives Californians various rights to see, delete, and prohibit the sharing of some of the data that digital businesses collect. This sounds well and good, but the devil is in the details, which are onerous, and often imprecise or garbled. There has been ferocious debate around the hastily drafted legislation, and Friday the 13th (queue the eerie music) marked the final day for modifications before the law hits the books. We’re now in the phase where consultants rewrite their powerpoint presentations and charge you again for the *newly-updated* compliance webcast.
Now I’m in favor of better privacy and data protection practices... but not this particular law. The keyword in that sentence, better, is driving me nuts. While GDPR touched on some stuff that was more about competition law than privacy, it also introduced a number of reasonable obligations around transparency and data security. Developers should take those requirements to heart. Aside from the law, adhering to these measures is the right way to maintain user trust in the software we create. You’ll see much of the good stuff reflected in the Trust Principles and best practices we’ve captured as part of our Trusted Developer program (it’s free, so check it out!).
Then along came California.
Again, there’s some good ideas in the CCPA, but overall the law is hard to unpack and it mandates some odd behavior. Take that “do-not-sell” button; how you interpret that obligation depends on what the law’s definition of “sell” is. Spoiler: it’s not the same definition as the dictionary.
“But wait,” you say. “I’m from Europe!”
Well, here’s where we re-learn that what goes around, comes around. As I read the bill, if you do business in California (have your lawyer answer as to if you do) or have users that are in California (however you figure that out per CCPA), then you need to comply or face fines and court dates in the US. Regardless of whether you purposefully court Californians, if they can reach your app or website, you might be in trouble.
So, what’s a dev to do? Here’s what I’d do if I was in your shoes and needed to prepare for the arrival of CCPA:
Step one: I’d clean up, catalogue, and encrypt (or de-identify) all the user information my company had in their possession. Everything. Parsing the definitions of what’s personal information and what’s not is more trouble than it’s worth. While I was at it, I’d track down all of the partners and outside contractors that have access to the data I hold. I then would put contracts in place to ensure they take the same steps.
Step Two: I’d start charging for the app or service my company offered — BUT I’d offer 100% discounts if people allow (a de-identified) collection of their data. This is a bit of a safety net as the law restricts whether or not an app or service can deny access to those that opt-out of data sharing. I’d play it safe, and keep “pay for play” as a future fallback by reserving those rights now.
Step Three: I’d map the user’s path through my app or website and decide where and how often to put the do-not-sell button in place. Perhaps, if my quick data test told me I only had a few California users, I’d set up a duplicate site and prefilter the audience so Californians hit their personal pages, but with cookie banners and everything else, maybe one more button and a TV-news screen crawler are going to be the new norm.
Step Four: I’d wait for the dust to settle, and prepare for an internal 6 month project starting in January 2020 to consult the experts and make all CCPA compliance live. I keep hearing that enforcement won’t come before June or July 2020. I’m a risk taker, but I think the odds of that being true are pretty good.
Bottom line: Add CCPA to your GDPR compliance program, and code that “do-not-sell” button.