The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. Before that, in September 2019, we shared a summary of what CCPA would entail, how it differs from GDPR, and what to expect in January 2020. Now that we are well into 2020 and many changes have occurred in the privacy and CCPA landscape, StackAdapt is here to provide updates to keep you informed.

The Impact of CCPA

The broad definitions of the law and the unpreparedness of businesses had made compliance in the industry uncertain. California, as one of the largest advertising markets in the United States, put businesses and website operators in the hot seat to invest in data governance and security as users were given legal rights over their personal information. According to eMarketer, 93% of U.S. IT decision-makers said they had been proactive with data privacy regulations like GDPR and CCPA. Over half of respondents report having taken steps like improving their use of existing security technologies, investing in new technologies and improving their data handling practices. Non-compliance is not cheap, as previously reported, businesses may be subject to an injunction and liable for a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation. This all became enforceable as of July 1st, 2020.

What Has Changed in 2020

So what has changed over the last few months? How has the patchwork approach to data privacy evolved in the U.S.?

With no federal guidance or standard on data privacy on the horizon, only 3 states have successfully passed legislation, California (AB-375 “CCPA”), Nevada (SB-220), and Maine (LD-946). Lost in the hype of the CCPA, Nevada and Maine’s data privacy laws were actually enacted months before the CCPA in 2019. The legal definitions were much more narrow compared to the CCPA, in regards to the sale of personal information and new rights users would have to their data.

The IAB Tech Lab developed the IAB CCPA Compliance Framework for Publishers and Technology Companies to support CCPA compliance for website and app owners and the digital ad tech ecosystem. Although an IAB Roadmap for the data privacy laws of other States has yet to be released, we are following the evolving news and will keep you up to date if other privacy frameworks become available. StackAdapt is a signatory to the IAB CCPA Compliance Framework and encourages publishers and ad tech partners to become members of the Framework to support the collective efforts towards compliance.

It was anticipated that New York would be the next major state to pass a comprehensive state-level privacy law with its New York Privacy Act (NYPA), introducing users’ rights to legal action on violating businesses. However, at this time, states like New York, Maryland, or Illinois, are still in committees and are awaiting approval through the legislative process. Until these privacy regulations are passed and enacted, there is still lots of uncertainty in their future.

The global health crisis this year due to COVID-19 only made matters worse for all parties involved. A shifting economy, changing social habits, and the need to adapt to new business norms have made investment into compliance for businesses more challenging. At the same time, government processes to affirm these bills are being delayed or tabled for future discussions.

What we have seen instead of data privacy legislation are States expanding their standardized sales tax or creating a gross receipts tax to include advertising, in response to the economic shortfalls and impact of COVID-19. Similar to data privacy, there is a unique State-level approach which makes agreements and perspectives on the matter polarizing at times.

Since January of this year, we have seen 3 states introduce legislation that tax digital ads: Maryland, Nebraska, and New York. Maryland was the first state to successfully pass their digital ad tax on March 18, 2020. The bill (SB-2), as it was passed by the Assembly and the Senate, is supposedly veto proof. Both houses garnered enough votes so that if the governor vetoes the bill, they can pass it anyway. Which was seen on May 7, 2020, when Maryland Governor Larry Hogan vetoed the bill citing its rush to be passed and the changes would further the burden that citizens were already facing with COVID-19, as these new expenses would end up being passed onto Maryland residents and businesses. This veto puts more strain on trying to determine what a business needs to do to be compliant with the law. However, the digital ad tax trend lives on and is still being introduced in other States.

The intention was not only about revenue but as a response to perceived exploitation of customer data and consumer privacy especially those on walled garden platforms like Facebook and Google. The bill imposes rates of up to 10% on digital advertising, with businesses that have gross revenues under $100 million being exempt. Nebraska’s LB-989 looks to extend its existing sales tax of 5.5% and New York’s Digital Ad Tax Act (DATA) aims at up to 10% for businesses, similar to that of Maryland. Legislations are still in committees, but await similar hurdles to being passed.

The New Normal in Data Privacy

As we navigate a new normal, data privacy conversations are beginning to evolve. Some of the questions being asked are:

  • How has the global health crisis affected companies from implementing effective privacy programs?
  • Data such as geolocation has shown to become essential when dealing with health emergencies like COVID-19 – Should an emergency situation like the current one prevail over the privacy rights of citizens’ data?
  • Which State will introduce new legislation that would require the IAB to create another Roadmap? What type of infrastructure may be required to be compliant?
  • Maryland’s SB2 sourced revenue to the state by the user’s IP address. What if a resident uses a virtual private network (VPN) to access the internet?

Finally, given all the recent updates, here are some important points you should know:

  • California Attorney General Xavier Becerra refused to delay the enforcement of CCPA due to COVID-19. Enforcement started on July 1st, 2020. There have not been any reported fines or lawsuits brought by the AG under CCPA as of yet
  • The European Data Protection Board (EDPB) has published guidance for the use of location data and contacts tracing tools intended to mitigate the impact of the COVID-19 pandemic. Overall, it is important to still adhere to data protection laws like GDPR even during a crisis like COVID-19, and it is strongly recommended to focus on anonymized data over personal data. The public health crisis should not provide an opportunity to establish disproportionate data practices and data should only be kept for the necessary time required. Personal data such as geolocation that is used for the purpose of assisting with contact tracing, should be deleted after the pandemic is over. Data should only be used for its intended and agreed upon usage
  • Additional digital ad taxes are argued to be in violation of the Permanent Internet Tax Freedom Act (PITFA) which prohibits States from taxing internet access or “discriminatory taxes on electronic commerce”. There are no digital ad taxes currently being enforced at this moment in time
  • Maryland’s special session to discuss their vetoed digital ad tax bill will most likely resume in January 2021, due to the pandemic
  • On July 23, 2020, DC Council voted on amending their fiscal 2021 budget and financial plan in order to eliminate the proposed advertising tax

This post was written with information gathered from The International Association of Privacy Professionals (IAPP): State Comp Privacy Law and State Comparison Table.