This cartoon depicts the travails of complying with the CCPA as it rapidly evolves. The CCPA originated when a referendum regarding consumer privacy rights was scheduled to be on the ballot in November 2018. Alastair Mactaggart, the referendum’s sponsor, offered to withdraw it if California passed a law. So, in the summer of 2018, the California legislature passed the CCPA in an all-out dash to beat the deadline for the referendum’s withdrawal
Businesses scrambled to get ready to comply for the CCPA’s effective date – January 2020. Being ready to comply with the CCPA requires quite a lot of work. Further complicating compliance, the CCPA is riddled with ambiguities and difficult tradeoffs between privacy and data security.
In 2019, a number of amendments were passed to make clarifications and adjustments to the CCPA. But the amendments still left many unresolved issues. Then, draft regulations were released in 2019. The regulations haven’t brought clarity or resolved many of the most problematic difficulties in the law. Instead, the regulations have added requirements beyond the law and raised new questions and challenges.
On top of all this, Mactaggart is proposing new referendum for 2020. The CCPA thus isn’t standing still; it continues to develop quite quickly.
Many critics of the CCPA blame policymakers for creating a deeply flawed law. But the CCPA exists because people are really concerned about privacy. For too long, industry and policymakers dismissed people’s concerns as irrational or as not really valid. Until people’s concerns are addressed, expect more developments with the CCPA, other California laws, and laws from other states.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the annual Privacy + Security Forum events.