Data Protection Policy Analysis

California Consumer Privacy Act of 2018, Cal. A.B. 375

December 2018
/100 score
Clear Terms Specific Harms Helpful Processes Not Retroactive Not Harmful Free Speech Simple Consents International Commerce Fair Enforcement Small Enterprises 4/10 2/10 4/10 6/10 1/10 1/10 6/10 6/10 7/10 4/10


The California Consumer Privacy Act of 2018 (CCPA) presents multiple challenges for enterprises that collect and process data, governments that must enforce the law, and consumers who will be confused by its results. This reflects its hurried conception and drafting in the face of an imminent ballot proposition that policymakers feared would cause even worse problems.

The CCPA mercilessly attacks advertising-supported websites by requiring prominent and persistent postings of data-sharing opt-out mechanisms hyperbolically labeled “DO NOT SELL MY PERSONAL INFORMATION.”  If a substantial percentage of the population opts out then publishers’ revenue may plummet, and success will be much harder to attain for content startups, bloggers and specialty publishers.

Technically the law is rife with internal inconsistencies that will vex compliance and enforcement efforts.  Another weakness is that (apart from its data breach provisions) the law treats almost all data alike, conflating the most sensitive identifiers with generic website code which leads to illogical results.


  1. Under the guise of mandating consumer choice, the law requires content owners to prominently link to a sensationalized and mischaracterized “DO NOT SELL MY PERSONAL INFORMATION” opt-out mechanism that intends to persuade consumers to opt out of behavioral advertising – even when their data is not being sold. If substantial numbers of people opt out then website and app publishers that rely on advertisements for revenue will be harmed, and digital content startups and investors will be discouraged. The net result will be less content (in particular, less free content), fewer voices participating in the marketplace of ideas, and more advertising that is also less relevant.
  2. By requiring all websites participating in the digital data ecosystem to link to an opt-out, the law promotes a misguided conclusion that all websites are selling personal information, which is not the case. Rather, the foundation of behavioral advertising is the analysis of large volumes of data aggregated by third parties that partner with websites and apps.
  3. The law needlessly defines almost all data as “sensitive” and worthy of more protection. The overbroad approach to data regulation is imprecise, costly and unnecessary, and burdens even the smallest enterprises that historically have not collected sensitive data. Regulating generic pixel tags and anonymous IDs the same as Social Security numbers is like regulating all transportation – including roller skates and automobiles – alike.
  4. Today digital publishers can choose whether to offer content in exchange for a subscription fee or to instead fund operations through advertising that monetizes data. The Act, however, encourages consumers to opt out of data-based advertising and also prohibits publishers from blocking consumers who do not permit data-based advertising or requiring that they pay. This is  unfair to publishers who need to finance the costs of their content and site operations. This restriction is also anti-consumer as it denies consumers the option of choosing to “pay” with cash or by providing data.


Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 4/10]
Key questions need clarification.  For example:
  • Is information that is “shared” with an online network subject to the “sale” of information regulations?
  • The law says that it protects California “residents,” but are they protected when they are out of state?
  • The law, on the one hand, prohibits “charging different prices or rates for goods or services,” to consumers based on whether they allow the sale of personal information, but it allows “incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.”   In this construct is it possible to provide consumers with incentive payments and have those not considered differential pricing?
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 2/10]
The CCPA does not focus on specific harms, e.g., that result from data misuse. Instead, by treating all consumer-oriented information alike, e.g., anonymous browser IDs the same as names and email addresses, CCPA loses sight of what harms and outcomes are at issue.
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 4/10]
Although the required processes are clear, they are frequently tied to the “sale” of information and the expansive definition of “sale” encompasses more activity than has been traditionally considered sales of data.
Similarly, the mandatory link to the “DO NOT SELL MY PERSONAL INFORMATION” opt-out is prominent and clear, but the requirement is misleading in that it is required for websites that are not actually selling data.
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 6/10]
The requirement that enterprises provide consumers with access to their data in category-specific ways is difficult to comply with as concerns previously collected data that was not tagged for those categories when collected. For many enterprises this will be a painstaking and burdensome process.
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 1/10]
By demonizing data collection and monetization and encouraging people to over-protect even anonymized generic data, the law inhibits activity that has historically been considered relatively non-intrusive and that is fundamentally important to many media publishers (including news, sports, gaming, politics and lifestyle content).
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 1/10]
The Act fails badly on this principle. Many newspaper, political and government watchdog websites partner with advertising firms to pay for their newsgathering activity. They will be substantially harmed by the apocryphal “Do Not Sell My Personal Information” link. Additionally, the law’s “anti-discrimination” provisions restrict content providers’ ability to charge consumers for accessing content that would be free if the consumers permitted data to be monetized with behavioral advertising.
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 6/10]
The law does not require explicit consent but the mandatory “Do Not Sell” link will frequently and unnecessarily be associated with activity utilizing non-sensitive data. This will not promote consumer clarity.
International Commerce: International commerce and cooperation should not be inhibited. [Score: 6/10]
The law appears to apply to California residents anywhere in the world if part of the sale of information took place in California. Given the confusing definition of “sale” and the magnitude of the penalties, it suggests that websites and ad platforms must closely track the whereabouts of California residents and also the relationships and locations of all advertising partners (and perhaps their partners’ cloud providers).
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 7/10]
The State Attorney General has enforcement authority and can issue Opinions and regulations. Thus, there are opportunities for guidance to assist implementation and promote fairness.
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 4/10]
The legislation purports to exempt publishers with annual revenue less than $25 million, but the exemption does not apply to publishers that annually have more than 50,000 “consumers, households or devices” – so it really exempts only the tiniest publishers.

“9-10” means the legislation thoughtfully accounts for the concern.

“7-8” means that, with adjustments, it can likely account for the concern.

“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.

“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.

“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.