Originally published -
With the General Data Protection Regulation (‘GDPR’) coming up on its 10-month anniversary, there have now been a total of five fines leveraged against breaching companies. But with reports of upwards of 90,000 complaints as of January the floodgates are only starting to creak open as the slow roll-out of the legislation on May 25, 2018, now seems a lifetime away. Google got hit with a €50M fine in January as a result of among other things, auto-checked consent boxes.
So, the world should rejoice, right? Well, at least if you are an EU user, GDPR has provided for some amount of safety online. But at what cost? Some companies, like RockYou, collapsed under GDPR as well as related strives towards transparency, but the big players loom in uncertainty as complaints mount against companies like Google and Facebook for forced consent. For Facebook, there is a fundamental “sign-up” process that I think will shield them to some extent, but they noticeably released massively bearish financial reports for the quarter after GDPR enactment. But it was only EU traffic, right? This kind of legislation will never hit stateside.
Enter California Consumer Privacy Act of 2018 (‘CCPA’), legislation set to take effect in January of 2020. In less than a year, Californians will be under similar data privacy protection to those EU users that are rocking the industry for players all over the spectrum, from the Facebook viral sensation formerly known as Little Things, to Publisher Conglomerates like RockYou, to the pervasive necessities like Google Analytics that publishers have grown an acute reliance on. When GDPR rolled out in May, Google was releasing information to publishers regarding compliance days before, and what they were doing mainly was passing on liability. What else were they supposed to do? Google Analytics sits on 66% of the top one million sites, and an astounding 85% of the top 10,000. The only feasible option was to change the user agreement and leave publishers to burden the consequences. We must ask whether this kind of adhesion to legal uncertainty by online publishers who inherently are out-leveraged by the products they rely on to be profitable is what the drafters of these laws intended.
My goal in writing this is not to present a doomsday forecast of the effect of data protection laws. Instead, I want to outline the challenges faced by tech companies trying to comply with these regulations. One aspect of GDPR that I believe deserves reconsideration is the idea that consent walls should not be used to mitigate lost revenue. As consumers, we have grown accustomed to being served free content online. Sure, there are donation options for sites like Wikipedia, but as you may have noticed, Wikipedia has not stopped asking.
The CCPA defines Personally Identifiable Information (PII), as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
From this definition one may think of the basics of personal identification: names, social security numbers, driver’s license or ID numbers, emails, medical records, etc. But the one that is the trickiest to deal with is the IP Address, a numerical label assigned to each device connected to a computer network. Along with browsing history and geolocational preferences, the user’s IP Address most commonly catalyzes the transactional data handshake that privacy laws scrutinize. This data is what keeps the internet free. It allows sites to monitor your viewing preferences and adapt their businesses accordingly, and also allows them to leverage this information in auction-style ad exchanges hosted by companies like Google’s DoubleClick for Publishers (DFP).
All California residents are protected by the law, whether in the state or another state while domiciled in California. Similar to GDPR, this caveat is virtually impossible to enforce. Why? Because the IP address tells the software where the user’s location is. If a Californian is at a Motel 6 in Kansas on a road trip, using the computer in the lobby, there is no way to tell from the server side that they are under the protection of the CCPA. This error in legislation to me highlights a fundamental problem with the current wave of data protection regulation developing stateside. Legislators generally do not understand how software fundamentally works. States like California and Washington are rushing into this legislation as a result of GDPR’s public awareness effort, legislation with similar technological shortcomings.
While the protected classes of the two regulations (GDPR and CCPA) are similar, the scope of who must comply appears to differ vastly. While GDPR defines a “data controller” as any natural or legal person, public authority, agency or other body that determines the purposes and means of the processing of personal data,” under CCPA liable “businesses” are for-profit entities that determine the purposes and means of the processing of consumers’ personal information, doing business in California. So under California law, certain organizations appear to remain unfettered as long as they are not “for-profit” entities.
The concept of incentivizing “opt-in” is a contentious one for the drafters of the CCPA. §1789.125(b) seems to permit businesses to offer different prices and incentives for users who “opt-in,” consenting to data collection, while §1798.125(a) proclaims that “[a] business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title.” These two sections are facially in conflict and highlight another critical uncertainty in the law. Can a website block a user until they comply with data collection?
The outcome of this fuzziness will likely hinge on another central aspect of the regulation. Pseudonymization, or “deidentification” is essentially processing data so that it retains its personally identifiable characteristics while anonymizing the specific user. This process is not within the legal purview of GDPR, crippling the ability of companies to mitigate their losses amid these regulations, but CCPA has yet to fully define what is allowed, and what standards will exist for deidentification.
I am concerned that the technical hurdles of complying with a multitude of state regulations is not being fully considered, and the aggregate effect of this regulation not fully understood. In my experience, writing working code that meets the need of the modern consumer is more than a full-time endeavor, and adding JIRA tickets for data compliance will cripple many in the industry that cannot afford the glut of compliance. The result of this mayhem in response to GDPR a year ago was the productization of compliance tools that companies could plug into their websites. The question is whether these tools are supported by anything more than legal “puffery.”
On the other end of the spectrum, companies who can afford it are seeking legal protection as attorneys wade into the deep waters of cyberspace and define the regulatory language that has not been battle-tested by court rulings. While having someone in your corner who can at least apply legal reasoning to the regulation to validate what your company is doing is a layer of armor, it is not a silver bullet. And at what point does this practice become unprofitable as state-level regulations continue to roll out?
Meeting the needs of the modern online consumer who is concerned with the use of their data will require engineers in the “boiler rooms” writing and shipping code to interact with legal and compliance teams more than ever before. Software Developers are in a position where they can push non-compliant code that will pass integration and unit testing. Meanwhile, the constantly shifting terrain must keep the legal and compliance experts to keep their ear to the ground, lest they miss a murmur. But at the end of the day, we can only hope that these steps curb the nefarious activities that have sullied the web and has made it a dangerous place in obvious and much more subtle ways, while allowing businesses to continue existing to meet the needs of those protected consumers.