Exploiting Loopholes in CCPA
Instead of complying with the requirements of the California Consumer Privacy Act (CCPA), some large digital firms are looking to exploit loopholes that will enable them to continue monetizing consumer data just as they did before. With fines not expected to be handed out until at least July, the law may not force Web giants to change their activities for some time.
The CCPA, which went into effect on January 1 of this year, changes the legal requirements for what companies can do with personal data in the state of California. With a few exceptions, California residents gain new data rights, including the right to:
- Be informed what personal data is being collected;
- Be informed whether a company is selling that personal data, and to whom;
- Be given the opportunity to say no to the sale of their personal data;
- Be given access to their personal data;
- Be able to request the deletion of their personal data;
- And to not be discriminated against for exercising their new data rights.
There are certain limitations, according to the State of California’s CCPA Fact Sheet. Only businesses with more than $25 million in annual revenue must comply, unless they fall into one of two buckets: either they buy or sell personal data on more than 50,000 consumers, households, or devices; or if they derive more 50% or more of their revenue from selling consumers’ personal data. In both cases, they must comply whether or not their turnover hits $25 million per year.
Obviously, there are more details to CCPA, including definitions of what is a resident, what is a service provider, and what constitutes the sale of data. All of this information is recorded in a 28-page document that you can download here. Near the end of CCPA document, it states that rules, procedures, and exceptions will be established by the Attorney General’s office by July 1, 2020, which can be considered the real date that CCPA goes into effect.
This gives companies some wiggle room around CCPA compliance, and some companies are taking advantage of it. Facebook, for instance, is trying to wiggle out of complying with the CCPA by claiming that its business model does not match the CCPA’s definition for “selling” of data, according to a Wall Street Journal story published last month.
“In private conference calls with major advertisers in October, Facebook stated its data collection qualified for the law’s exemption for sending data to ‘service providers’ and didn’t count as a ‘sale’ of data under the law, according to a person who listened to one of the calls,” WSJ reporter Patience Haggin wrote in a December 12 story.
The social media giant maintains that it’s the responsibility of publishers to configure its Web tracking service, called pixel, to block the data of people who have opted out under CCPA. “Businesses already have the ability to manage whether they send data and how they send data to Facebook through pixel,” a Facebook spokeswoman told WSJ in a statement.
Don’t be surprised if the big tech firms continue to look for gray areas in CCPA, says Dave Brunswick, the North American vice president of solutions for Cleo, a data and application integration software firm.
“Finding loopholes is the game right now,” Brunswick says. “I think the big tech guys will play by the rules, but continue to find as many loopholes as they possibly can.”
By identifying as a service provider rather than an advertiser, large tech firms may be able to skirt the letter of the law and continue to do business as before, he says. For Facebook, that means that users may not be given the same opportunity to opt out of tracking as one may have believed that CCPA would require them to.
“I’ve seen various discussions about what exactly is a service provider under the CCPA definitions, and by classifying an advertising aggregator as a service provider, can we get around those loopholes?” he says. “”Everybody is looking for the right loopholes to continue to do what they’re doing.”
While the CCPA sets these top-line goals, it doesn’t spell out the specific steps that companies must take to comply with the goals. In that sense, it’s more of an accounting framework rather than a hard-and-fast law, says Dimitri Sirota, the co-founder and CEO of BigID, which develops tools to help companies discover sensitive data.
“The privacy regulations are fundamentally accounting frameworks. They require you to account for the data.” Sirota told Datanami earlier this week. “They don’t require you to do anything. They just require you to account for the data so that you report back to the regulator or the individuals around what data you collect and why you collect it.”
The big question now is how the CCPA will be enforced by California Attorney General Xavier Becerra after the rules and definitions are nailed down in July. That essentially gives companies a six-month grace period to get their data houses in order — or to find more loopholes.
Becerra could follow in the footsteps of the European Commission, which handed out some stiff fines for violations of the General Data Protection Regulation (GDPR), upon which the CCPA was loosely modeled. (The Federal Trace Commission also fined Facebook $5 billion last year.) However, with the current focus on finding loopholes, following the spirit of the CCPA, rather than the letter of the law, could be good enough.
“Part of what a lot of lawyers should tell companies when they work in the general office or with the chief privacy officer is we need a defensible position,” Sirota says, “so if the AG comes after us, we can say, ‘Oh yeah, we tried our best.’”