The new privacy law passed by the California legislature went into effect January 1, 2020. While some of the specifics are still being worked out (the final text of regulations was just submitted on June 1st), the intention of the law is to ensure five key rights for California consumers. They are:
- The right to know what personal information is being collected about them.
- The right to know if their information is being sold or disclosed, and to know who is getting access to it.
- The right to opt-out of the sale of their personal data.
- The right to access the data that a company has about them.
- The right to receive the same price and level of service if they choose to exercise their rights.
Now, I want to make it clear that I'm not an attorney, and I do not claim to know all of the intricacies of the CCPA regulations. I was, however, part of a development team tasked with implementing compliance with the new law for a large e-commerce website. During this time, I was involved, not only in implementing the technical changes needed, but also in some of the business discussions around the requirements. One thing that I kept hearing, during these business discussions made me cringe. It was: "This only applies to users who live in California."
Okay, that may seem like a fairly innocuous comment, and technically, it's true, but it was the intent behind the statement that really got to me. Look back at that list of five rights. They seem completely reasonable to me, and I think they would to most other users as well. But the company's legal and business teams were very adamant that the implemented changes should only be applied if we could verify that the request was coming from a resident of the state of California. Now, don't get me wrong, I understand their reasoning. They collect a lot of data about their users, and that data is very useful to their business. Additionally, the CCPA definitions of what constitutes "personal information" and "sales of data" are quite broad and cover a lot of business cases that go beyond specifically selling data for money. The company wants to continue collecting as much data as they can, so they can continue to operate in the same way they always have.
I believe there are a couple of problems with this mindset though. First of all, there's the technical challenges. Identifying the data that belongs to a resident of California can be tricky. While there are already third-party companies offering to handle the processing of requests for data, it's far easier to handle all of the data in the same manner, regardless of where a user lives.
Second, it's highly likely that other states will soon pass their own privacy laws. According to Axios, similar legislation is expected in New York, Illinois and Washington in 2020. There has also been some movement in Congress this year to pass federal privacy regulations. Putting processes in place that deal only with users in California, overlooks the big picture of where privacy laws are headed. Treating all users' data the same now may alleviate some of the changes that will be required when new laws are passed.
Finally, and most importantly, in my opinion, is customer sentiment. Yes, CCPA specifically applies to residents of California. But what will a customer living in South Dakota think about your company if they click the link to ask you not to sell their data and take the time to fill out the opt-out form, only to receive a response that the rules don't apply to them? It's likely that their opinion of your company will diminish considerably, and they may choose not to do business with you in the future.
Before you commit to a process for implementing the new CCPA changes specifically for California residents it may be prudent to consider these questions first. Is it worth the effort to implement technical changes for handling customers in a specific state? Will you need to change your process if other states pass similar laws? And, while it's true that, currently, you only have to comply with the new CCPA regulations for customer's living in California, is it worth it to continue collecting and selling the data of other users, even if they ask you not to? Take a close look at the lifetime value of a customer, and consider whether it's more costly to lose their data, or to lose the customer entirely.