Wednesday, December 04, 2019

Now, start paying attention to CCPA if your site has one California visitor (other states likely to follow suit)

Ian Corzine has a serious discussion of what website owners and YouTube and social media channels need to follow to comply with the California Consumer Privacy Protection act (CCPA, AB-375).

Like with COPPA, this subject will surely be the focus of a lot of lawyerly videos.  In theory, any website or youtube channel with one visitor from California is “vulnerable”.  Likewise, other states will pass similar laws and Congress ponders it, and a federal law is likely by 2021, after the next election cycle.

The law has thresholds regarding visitor counts and income before they would apply out of state.
The law is said to have a “right to be forgotten” clause.

There is a possibility that even a site that requests no personal information itself could be doing indirectly through cookies.  Corzine says that the larger vendors (like Amazon, for links to Associates) are compliant.  Wordpress and Automattic would need to weigh in.  Presumably Google Adsense will be weighing in soon and requiring privacy policy changes. My own blogs and legacy site do not ask for personal information or logon (COPPA-style age-gating could be in the future and that is a complication);  there is one page on one Wordpress blog that links to a 3rd party payment processing company offered by the Web Host; I do not see the purchaser information myself). 

Two or three other quick problems come to mind.

One is mentions of non-famous people.  This mostly happens in news stories quoted, or sometimes personal contacts that have been active more locally but who are not “famous”.  I’ve had two or three requests to remove names from my blogs over 15 years or so and there were unusual circumstances in all of them.  I can imagine the mention of a non-famous criminal defendant from a news story not yet convicted as an issue.

The other is for self-published authors, especially if they are POD and mass order their own books at a discount to sell them themselves, which POD companies tend to expect them to be able to do (and POS companies are notorious for cookie-cutter marketing). My own site (on Wordpress) links to a third party company called Payment Sphere.  Coming from a large webhosting company, it certainly should be compliant, but I will check before Jan 1 (like do I need Corzine’s patches on my own Wordpress page?  I’ll check.)  Behind this comment is the idea that tech industry is slowly paying attention to individual creators' "commercial viability" (I realize the phrase on YouTube's recent TOS change has a more contingent interpretation) and whether business models can afford to host speech for its own sake if it doesn't try to make money on its own. 
Another possibility is speakers who leave their own PII in comments (like people who knew me from the Army, etc, during the "don't ask don't tell" debate;  that has happened.) 

The applicability of state laws comes from our own system of federalism, but that really exists in Canada too (Quebec is a special case and has tricky laws of its own about everything), and, in a different way, in the EU (from GDPR and the Copyright Directive).  Stay tuned.
I am in Virginia, but I make it to California frequently (and was just in Ontario recently).

No comments: