The California Consumer Privacy Act (CCPA) came into being, in part, to keep it off the ballot. There were petitions to get a privacy act like GDPR onto the November ballot, but instead, lawmakers rushed through legislation in what has to be record time and the governor signed it into law.
The tech industry is not pleased.
In a Fortune article, Robert Callahan, the head of state government affairs at the Internet Association, was quoted:
It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.
That seems to be the consensus among the tech industry, as well as the social justice and business communities. The concern is that the law was pushed through too quickly. It’s a legitimate concern. GDPR took years to pull together and implement. CCPA took a couple of weeks.
Tech companies are complaining that they didn't have enough input into the legislation. Fair point. In many ways, making the changes needed to meet the requirements could be costly. However, Jason Wang, CEO of TrueVault, isn't buying that argument, telling me in an email comment:
The arguments that implementing new policies would be costly and time consuming don’t hold up when you compare the time and cost to consumers of not taking action.
There are other concerns, such as hurting innovation, especially for small start-ups and companies that depend on the sharing economy. As AdAge pointed out, this privacy law in particular could hinder their growth due to the requirements surrounding third-party data.
Yet, had CCPA gone to a ballot initiative, it would have been much worse. According to CPO Magazine, the provisions in the original ballot initiative would have left the tech industry vulnerable to lawsuits and again, could have stifled innovation and growth. With the legislation, there is hope of amendments and restructuring in the next 15 or so months until it goes into effect.
However, CCPA and the other state laws are our new reality, as Wang said to me:
The CCPA and federal data protection law are inevitable. Big tech companies will have an opportunity to plant a flag in the ground and decide whether they are prioritizing consumer rights at the expense of a little profit or prioritizing profits at the unnecessary expense of consumers.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba