A newer, stricter privacy law is on the way. No, not that one. Not that one, either.
Remember the good old days when we all watched astounded as GDPR snuck in from the European Union? We devs were smacked – even those outside the EU – with new privacy obligations. Enter California, whose long-awaited privacy law, the California Consumer Privacy Act (aka “CCPA”) is now enforceable on any company with a California audience. Luckily we’re prepared and have systems in place to keep us from getting sued, right?
BREAKING NEWS: California may now REPLACE the CCPA they just introduced with a new set of rules (including a new enforcement agency) called the California Privacy Rights Act (aka “CPRA”). A November ballot initiative leaves it to California voters to decide. What is going on here and what does all this mean for your apps and users? If you’ve already spent time and money on GDPR compliance, you’ll now need to spend some more to understand and adapt to the CCPA. The law is far from clear for the companies that fit within its scope. If you’re looking for somewhere to start, we wrote about this here. Believe us when we say, however, that you may need to pay an outsider to help you navigate.
Think that’s bad? Even after you’ve revised a second time, maybe after paying an outsider, be prepared for a third round. If the CPRA passes in November, you’ll have some new and revised obligations starting Jan 1, 2021. You just can’t make this stuff up.
If you live in California, you’ll see ferocious lobbying in the months leading to November’s vote. No matter where you live if your app or business has 100,000 users in California, meets the $25M revenue threshold or makes most of its money from data sharing, you’ll likely be impacted. Especially, if a few of your users live in California and choose to make an example of you. Back ‘atcha, Europe!
All this churn points out two key flaws in the regulation of privacy online. First, extending the reach of national laws beyond geographic boundaries places an enormous burden on developers. Many of whom want to do the right thing, but simply can’t, since rules inevitably overlap and conflict.
Second, by leaving the national field empty of privacy regulation, the U.S. has mandated-by-lack-of-mandate, that states create their own privacy regimes. This has led to a competition among the states, with each aiming to outdo the other(s) in their scope of jurisdiction, severity, and application. Soon we’ll have a patchwork of overlapping laws that will tie not just technology, but all U.S. companies, in knots. By moving aggressively, California is hoping to bypass all the other states and become the de facto judge and jury for privacy in the U.S. (that’s why we’re lobbying for one federal privacy law for the U.S.).
So, what should you do? The safe answer is to 1) make sure you comply with GDPR if your app touches Europeans, 2) make sure you comply with CCPA if your app touches Californians and you have growth ambitions, and 3) get to work on CPRA requirements with a target for compliance by the end of 2020. Alternatively, your app or service could abandon data collection and targeted advertising altogether. Instead, you can put a price tag on your app and hope users are willing to pay for what was once free. A business model that will soon be gone for good.