I’m just wanting to start a thread for discussion related to the California Consumer Privacy Act (CCPA) which comes into law on Wednesday (January 1, 2020.)
At this point, there seems to be zero agreement on what compliance looks like. I hear that some companies (like Indeed) are forcing users to grant permission to the sale of their data or be forced to delete their accounts. This just seems crazy…
But, CCPA raises other questions, too…
Will other states follow suit with their own laws? Will we soon have to deal with 51 privacy regulations (one for each state + GDPR)? How can a small business be expected to keep up with all the legalese and moving-target compliance determinations? Why not a single federal law? How can we get out in front of it as developers? As an open source project?
I have more questions than opinions on it and am curious what others are thinking about how to tackle this new regulation and the presumed additional regulations that will likely follow.
These privacy laws are much overdue. In the late 80’s and early-mid 90’s the internet was seen as a niche computer platform for programmers and computer scientists, and as such it was allowed to develop largely unregulated. Such an argument cannot be credibly made today for a number of reasons, consumer protections being one of them.
Australia has been weak on online privacy, but we have been strong on consumer rights. Since 2011 the ACL (Australian Consumer Law) has been strong, and the regulator ACCC has been given strong enforcement powers. Their advice is clear: all online businesses that sell into Australia must comply with the ACL, which give consumer guarantees that cannot be removed. I’ve pointed this out on other forums, and there’s always overseas companies who think they don’t have to comply. I can’t understand why anyone would think that consumer’s domestic protections don’t apply when they’re a customer - but if you do take that view be prepared to be blacklisted from payment providers and other key service providers. In 2016 Valve was fined AUD $3 million for breaching the ACL (that fine is in addition to the corrective action they had to take as outlined in the judgment). That case was so straightforward, yet Valve appealed and lost in the courts anyway - in short they sold software products (i.e. computer games) to customers that didn’t work as advertised, that were legally shown to be faulty. Sometimes because the games were pre-sold and when launched had lots of game-play breaking bugs that went unfixed for weeks, or required better hardware than advised at the time of pre-sale, or the frame-rates were deemed “unplayable”, or because they sold customers without supported hardware games anyway (Valve’s evidence showed the the Steam Client provides detailed system information of their clients to the company, so they knew when their customer’s hardware did not meet the minimum system requirements when they sold the games) - then they would refuse to issue the required remedies under the ACL. It’s actually good that they went to court because it confirms ACL applies to overseas companies. I have read both judgments, the Judge in 2016 made a very principled finding.
Valve had to display this notice, which they did, for 12 months on the Steam homepage to all Australian IP addresses:
Sony Europe is presently being sued for the same conduct, they too want their day in court, and I can confidently predict they’ll loose now that Valve already set a clear legal precedent. They’ll have to put up the court’s notice on their website too (that notice is very standard in ACL cases).
It’s important to note with Valve they had many options, but they did not even have legal advice when they were selling products to Australians and failed to obtain it even after the ACCC brought action against them. For example, if they know that customer’s computers don’t meet the minimum recommended system requirements they could have either (a.) declined the sale based on unsupported hardware, (b.) offered a free trial of the software, (c.) allowed the sale but offer a refund if the game is unplayable, or even (d.) be ignorant of Australian consumer law but comply with the requests from their Aussie clients when ACL is raised. But what they couldn’t do, which was illegal and what they did do was sell the games and then tell customers their Australian consumer rights didn’t apply. The same situation with pre-selling games (that’s the practise of selling games before the launch date). They had plenty of options.
Lots of small business based overseas think that no enforcement action can be taken - wrong. PayPal and other payment providers will issue chargebacks if a complaint is raised of foreign businesses refusing to honour ACL, and Australian banks can formally request chargebacks too (see Choice article, it is also a recommended course of action on the government websites ACL and ACCC; and it’s in the banking code that Australian customers have a right to dispute a transaction and the bank has to pass the chargeback request on to the merchant via their payment processor). That might sound like it would go nowhere - it doesn’t, unless they’re using rouge payment processors they will ask the business to provide a satisfactory response to the dispute, and if they don’t they usually go ahead with the chargeback. That’s the case as it is today, I believe there will be only greater cooperation of payment providers in the future because the threat of regulation is always hovering over them.
Sometimes I hear the claim that it’s too onerous to understand our laws they should be allowed to trade into Australia purely under their own laws. I definitely don’t think it’s “onerous” because an Australian customer can simply inform the overseas business of their rights (the ACCC website is very clear), and if they insist on refusing to honour them it’s more likely than not they can issue a chargeback with a good chance of success as described above. It’s the same with any other country - US citizens for example should feel their consumer rights will be honoured by overseas merchants in Australia, Europe, and elsewhere. The consumer rights are very clear, simple, and frankly reasonable as you see in that screenshot. If you sell something that is defective or not fit for purpose they have a right to a remedy (repair, replacement, refund). One policy that Valve could have leveraged for example is if a game was defective, allow the customer to choose a replacement game of significantly higher value - i.e. your $20 game is defective, pick another game up to $50 in value and if you can’t find one you like you get a refund. Lots of businesses use policies similar to that, it saves them lots of refunds and keeps their customers happy. At my former workplace, if a customer would take a store credit (which they didn’t have to - we would refund if they didn’t want store credit), when it came time to use it we were always flexible on the amount.
So in terms of privacy I see it in the same way as I see consumer rights - I think the GDPR is a good thing. For much too long the average punter has had absolutely no idea how their personal data has been misused, circulated, hacked and leaked and sold and so on. For example Yahoo didn’t inform their customers that a hack compromising the personal information of 500 million customers occurred in 2014 for TWO YEARS, and if that’s not bad enough they didn’t inform their customers about a data hack in 2013 that compromised data of every single customer - 3 billion of them - for over THREE years. It’s clear breaches of ethics and responsibilities by tech giants like this that is why online privacy protection needs regulation. It’s why the GDPR gives EU citizens the “right to be forgotten”. Once your data is erased for good it can no longer be hacked, leaked, or compromised out of the 3rd-party database.
On the issue of consumer rights, I’ll share a story of my own.
I once had a customer pick an item and pay for it to pick up later, and I had unwittingly double-sold it (my colleague sold the item about 1-2 minutes earlier from their register physically located in a different building - the item was in my building). This was before I took customer details down on every sale that was pick up later (I had his name but not his phone number - and there was every chance he could come in on my days off). Anyway I had to figure out what to do. I couldn’t possibly expect the customer to come back expecting to collect their item and be happy with a refund! So what I did was look through all our products to find the closest replacement item I could - there was only one that was similar (lucky that there was that to be honest) so I marked it as sold to my customer and planned to apologise and explain when he came in to pick up his item.
When he came in a week later with his receipt in hand and went straight to another colleague and said “I’m here to pick up my item, I’ll show you” I had to rush to apologise. My priority was to apologise for our error first and then explain. “No, no, no, I’m very sorry that isn’t yours, it was double-sold” I said. The conversation went really well. The item was still there not yet picked up, and I showed him the replacement product I had marked for him. I explained I marked it as it was the most similar product we had, but if he’s not happy with it I’m happy to refund, and that I was very sorry about double-selling it. I honestly didn’t know what to expect, I had at least done my best to provide a remedy that I thought the customer would be agreeable to. Would he demand “his item”? I wasn’t prepared for that outcome, in hindsight it might have been wise to print a copy of the other receipt so I could show him it was sold about 2 minutes earlier. I had presented a binary choice which looking back I thought wise “this replacement or a refund” rather than inviting him to select yet another replacement when I already knew there was no other similar product in stock.
As you might expect he was definitely shocked initially, but he took it really well. He looked the item over and was happy with the replacement product and thanked me for it. This is a great example of the best possible outcome, I’ve had dissatisfied customers and others over the years, but this is an example where a situation leading headlong into dissatisfaction was managed well by simply finding and providing a suitable replacement product. The whole thing wasn’t my fault, the colleague who sold it didn’t put a line through the price tag (that’s how we prevented double-selling in the first place), he had walked to the area with the product and out again in all of 30 seconds with his customer and said nothing to any of us in our building. It was completely up to the customer whether he felt the replacement product was satisfactory and I was upfront if it wasn’t he could have a refund. Keep in mind he was there to pick up his item, I’ve apologised shown him a very suitable replacement item (pending his agreement) which means his visit will not have been in vein compared to “sorry it was double-sold I’ll issue a refund”.
Moderated: Edited for language. This is a family-friendly forum.
That’s a very good question! The GDPR means one set of rules throughout the EU instead of one per nation. And a federal law in the US would come under the Commerce Clause of the US Constitution, meaning that it would pre-empt the ability of states to write their own rules.
But that last statement also provides part of the answer. Many politicians in the US don’t like the idea of the federal government taking over powers that might otherwise be exercised by the states. On the other hand, many of the same politicians seem to have suddenly taken a different view on many laws since the current administration came into power! So it’s complicated! Or rather, it’s politics.
This may end up replicating the problem that every state used to have its own laws of contracts. You can imagine that was a nightmare, so some enterprising lawyers got together, wrote what is now known as the Uniform Commercial Code, and then persuaded almost every state to adopt it.
At a practical level, though, most small businesses can ignore the CCPA, since it applies only to businesses with a gross revenue over $25m, more than 50,000 customers, or which derive more than 50% of their revenue from selling user data.
Thanks, Tim – really appreciate your learned opinion on this. I did take note of the exclusions, but, was left with the single concern (on that point) that someone can make a request… and if you don’t honor it with a set of data, they can sue you… Sure, you’d win in the end, but, that’s a lot of time wasted, frustration dealing with the legal system, and (no offense!) that really only enriches attorneys.
No offense taken! But someone can sue you about anything already — that’s an inherent problem with any legal system, made worse in the US because each side typically pays its own costs instead of having the loser pay — so I don’t think that really makes much difference.
And I think it’s fairly clear that enforcement in California is going to take a leaf out of the EU’s book and go slowly to start with.
It’s my hope that we’re not stuck with moving targets. They came up with this Act in a single week; frankly, it seems like a sloppy implementation. I think I read somewhere yesterday that enforcement is delayed until mid-2020. It’s still good to hear what you have to say about it, though. Thanks for jumping on this thread.
Ah, I did delete a paragraph where I said CCPA looks like a welcome start if it’s to be the coast-to-coast blueprint for privacy regulation in US, which certainly addresses the core questions related to “Why not a federal law?” Also note you could ask the same thing about many other laws that were rolled out at the State level in the US.
My major point is that online privacy regulation is long overdue. What we’ve seen happen over the past 15 years is that the software products we once called adware and spyware became mainstream, and websites have designed themselves in the same way. The problem is that there is a very big difference between what the average punter thinks is OK and what software/tech companies and others think is acceptable. With advertising they’ve been fighting the law of diminishing returns and their loss of relevance - the entire business model is a straightforward extortion racket. They take customers that want to buy a product and sell them back to their suppliers. All of this was predictable, and indeed predicted by industry experts 20+ years ago - the law of diminishing returns was observed in every form of advertising - print, radio, television, billboards, and now internet. Two primary reasons are that (a.) people learn to cognitively filter ads, and (b.) there’s a finite amount of consumer spending to go around. A third reason for internet advertising in particular is that all the advertising that people actually want, that they used to get from their newspapers like real estate, cars, and classifieds, went to websites specialising in those things, and none of those advertising services require tracking or spying on users as they surf around the web.
I’ll show you an example of what I mean by the business model being an extortion racket:
If that doesn’t convince you what a complete fraud online advertising has become under Google and their pals, nothing will. Nothing could be more blatant and cynical than that example, where the top search result has been preceded by an ad which is materially the same as the search result itself. The advertiser wants their cut. They don’t want to advertise a competitor to the customer, they’ve worked out that’s less profitable, they want to advertise exactly what the customer already wants! Who’s interests is that in? The customer, the merchant, or the MITM advertiser? Not only that, but unlike the old days they’ve had to make the ads look exactly the same as the search results to prevent people cognitively filtering them out. It’s not there to inform the web user of a product or service, it’s purely there so the advertiser can take their cut. The great irony of course is that Advertisers have been complaining about Adblock Plus doing the same thing.
For websites, particularly big news websites and other other big online platforms, they’ve become addicted to and reliant on the privacy-invading spyware tracking based model of “interest-based advertising”. Google, Microsoft, and Apple have all built Advertising IDs into their operating systems even though advertising IDs are not in their customer’s best interests. If you buy a new laptop with Windows 10 pre-installed on it, it will already have an advertising ID set for you so you can be “tracked” by 3rd parties.
Anyway this is why we need privacy regulations - the real world applications are very clear, and the gap between what the punter thinks is acceptable and what the service providers and advertises think is acceptable needs to close.
Ok, I think I see the relevance of your original post now… I have the impression you’re trying to sell me on this whole need-for-privacy thing…and why it’s important. There’s no need for that. Those things are not at issue at all here and I’m not disclaiming the need for regulation. I’m asking questions so I can be sure my plugins are compliant, not so that I can skirt the rules. I’m well aware of why this is important and I’m already on board. My concerns, as noted in the original post, are related to how to be compliant, rather than why be compliant.
Ah yes well since we have a good idea on what these laws are addressing (and they’re long overdue) I don’t think there’s any cause for alarm certainly not from developers (it’s the publishers that might have cause for concern). We will indeed have to wait and see what compliance looks like.
This is kind of my issue with the laws, I think my post above was really “anti” and I am not. I do support the “concept” they are trying to address. My issue really comes down to how can businesses/developers realistically be expected to keep up with the changes especially when most laws are pretty broad and apply to services used by the population even if not specifically the target.
Anyways, going back to the original question, there are some good resources from Hubspot:
In my opinion there should be a very simple rule set for how to handle potential issues with collection of private data. This is partly based on a loose understanding of the GDPR and partly just what I would want to see from a digital product:
Collect as little personally identifying information as possible, ideally none
If you do collect personally identifying information, limit its use and scope as narrowly as possible (in terms of what it’s used for, who can see it, and how long it’s stored)
Disclose what you’re doing accurately and clearly
In practice this means you can’t use many of the standard off-the-shelf tools. Google Analytics is probably one of the worst and most common offenders, but even web server programs in their default configurations will store IP addresses and user agents for a while (which is often necessary).
If you follow these rules successfully you are already doing better than 99% of other sites/products out there, which eliminates most of your risk in practical terms.
As far as how compliant this approach would be with the minutiae of GDPR, CCPA, XYZQ, and how to craft the relevant language appropriately… I’d best leave that to the lawyers.
