Privacy Gone Public: How growing push for privacy laws may affect U.S. businesses

The World Wide Web turns a spry 30 years old this year and statistics on its usage are mind-blowing. As of October 2018, more than four billion humans — half of the world’s population — are online. On average, Google processes more than 40,000 searches every second, and more than half of the world’s web searches are initiated from mobile phones. Of this online usage, social media reigns supreme. According to a recent study by Domo, every minute of the day more than 500,000 photos are shared on Snapchat, approximately four million users watch a YouTube video, 456,000 tweets are sent on Twitter, and Instagram users post nearly 50,000 photos.

As internet usage increases, so does internet advertising. In 2018, internet advertising revenue in the United States exceeded $100 billion for the first time, according to the Interactive Advertising Bureau. Unsurprisingly, these ads have moved from your desktop to your phone, with mobile ads accounting for 65 percent of total revenues.

Yet, as online usage becomes a constant occurrence in our daily lives, data breaches and online politics continue to make headlines, causing a growing public and political disagreement as to how online user data should be collected, protected and used.

Into this wrestling ring of debate comes the California Consumer Privacy Act (CCPA). Passed in June of 2018 and currently scheduled to go into effect in January 2020, California’s law would be a shift in U.S. data privacy law to something similar to the European Union’s General Data Protection Regulation (GDPR), which took effect last year. As currently written, the CCPA would require that companies be transparent as to what information they collect and provide users a clear opportunity to opt out of the sale of personal information.

How does a California law affect Oklahoma businesses? If you collect large amounts of information from California residents or do over $25 million in revenue, you may be subject to the law. Even if you do neither, proponents believe that the CCPA will set a standard for companies operating nationwide. Opponents argue that data privacy regulation is better left for federal law to avoid differing state standards. No federal privacy law appears forthcoming, however, and at least nine other states are considering their own versions of the CCPA.

So, what does the CCPA require? Among other things, it would mandate that companies covered by the act be transparent as to what information they have and how they use it. Businesses would also be required to provide users a clear opportunity to opt-out of the “sale” of their “personal information.” While these concepts may not seem controversial, the subject of continued debate is what some believe are overly-broad and ambiguous terms. For example, under the CCPA “personal information” is broadly defined to include IP addresses, geolocation, and internet usage data. “Sell” covers actions such as “disclosing” and “disseminating.” Because these definitions depart from the sale for money of names or social security numbers, it has caused many businesses to question whether their current privacy policies would be found compliant with the CCPA’s requirements.

More troubling is that the CCPA is still in a state of flux. Aside from a debate on scope, lawmakers, lobbyists and experts disagree on key aspects of the law with only seven-months away from enactment. Current U.S. law generally uses an “opt-out” model — namely, businesses can use information until the user “opts-out.” Under an “opt-in” model, businesses must get consent before using personal information in a specific way. The CCPA is currently an “opt-out” law, but a recently proposed amendment would change it to require “opt-in” consent. Proponents say this would prevent companies from using personal information as a default. Opponents argue this will result in a myriad of pop-ups and more confusion. Problematically, the difference between opt-in and opt-out is key to how websites interact with users and the issue appears unresolved.

Lawmakers also disagree on enforcement. The California Attorney General is currently charged with enforcement of the CCPA with consumer litigation limited to threats of data breach. A recently introduced bill would amend the law to allow consumers to sue for any violation of their rights, which many say would create a blizzard of litigation.

A push for increased privacy that started in the EU may be making its way to the U.S. One thing seems certain: as a push for privacy laws increases, businesses should review what personal information they collect, how they use it, how they protect it, and whether online terms of use and vendor agreements are consistent with that collection and use.