While navigating a mammoth advertiser boycott and potential federal antitrust charges, Facebook Inc.’s chief financial officer may be most concerned about California’s strict new privacy law.
The California Consumer Protection Act, or CCPA, is considered the nation’s first true data-privacy law and among the strongest aimed at the digital economy. Consumer advocates say it could usher in more state laws that hold the likes of Facebook Inc. FB, -0.08% and Alphabet Inc.’s GOOGL, +1.09% GOOG, +1.13% Google more accountable for how they monetize the data of billions of people world-wide.
The CCPA officially became California law on Jan. 1, and began being enforced by California Attorney General Xavier Becerra on July 1 after a six-month grace period. When asked about it near the end of the company’s earnings conference call last month, Chief Financial Officer David Wehner launched into a long discourse about its impact on advertising, the lifeblood of Facebook.
“You know, in the near term, that’s really around implementing CCPA. And in the longer term it’s more potential for further similar regulation across the globe,” Wehner said. “We’re seeing an impact to the business from CCPA today. We don’t know what the impact will be. How things play out will depend on advertiser implementation, adoption rates in terms of opting out of tracking. So there’s a lot of uncertainty as to how it plays out.”
Wehner did not offer specifics, but Facebook has taken several steps over the years to comply with CCPA. Indeed, the depth and tone of his answer showed greater concern for it than the July ad boycott of more than 1,100 companies over objectionable content on the social network. The boycott, which included Coca-Cola Co. KO, -0.11% and Ford Motor Co. F, -0.42% , is expected to have minimal drag on Facebook sales.
The ominous legal cloud of CCPA, which one data-security expert calls the most far-reaching law affecting California businesses, goes far beyond Facebook. Some 500,000 companies nationwide who deal in data in the Golden State are affected under the law’s broad rules, according to Kimball Parker, CEO of SixFifty, the technology subsidiary of pre-eminent Silicon Valley law firm Wilson Sonsini Goodrich & Rosati.
CCPA gives internet users the ability to see what information is collected about them and stop that data from being sold. It empowers California’s attorney general to penalize the worst offenders, with fines of $2,500 to $7,500 for each violation. The law broadly applies to businesses that meet any of these three criteria: annual revenue of $25 million; more than half of its revenue through the sale of consumers’ personal information; or handling personal information of more than 50,000 California residents.
“For companies, it is a nightmare,” Parker told MarketWatch.
In addition to a legal process that alone costs $150,000, businesses must invest in technology tools to adhere to new rules. “Who this really screws over are smaller businesses, like a Sacramento co-op supermarket (Sacramento Natural Food Co-op) that is a client of ours,” Parker said.
Of course, Facebook and Alphabet face the most total exposure because they reach billions of people and each violation of the law comes with a fine of $2,500 to $7,500. “The fines add up,” Parker said.
The law has already exacted a steep financial toll for Facebook. The social-networking giant says it has spent billions of dollars shoring up its privacy and security features to comply with laws like CCPA in the U.S. and General Data Protection Regulation (GDPR) in the EU.
At the same time, Google and Amazon.com Inc. AMZN, +3.12% — who, along with Facebook, command more than 60% of the U.S. digital-advertising market — have taken significant steps to address the new law.
Facebook contends its data policy, with CCPA-related updates, includes information on different types of data that it collects, how the company’s products work, and an update on what California consumers need to do to exercise their CCPA rights. In June, the company released a feature, Limited Data Use, that limits how Facebook uses partner data by directing Facebook to act as a service provider when processing information coming from California residents.
“We’ve created dozens of teams, both technical and nontechnical, that are focused solely on privacy, and we currently have thousands of people working on privacy-related projects and we’re hiring many more,” a Facebook spokesman told MarketWatch. “For example, we built self-serve tools that let people access, download and delete the information they share on our service. We make these tools available to everyone on Facebook, regardless of where they are.”
The law’s impact is sprinkled throughout Facebook’s 10-Q form for its recently completed second quarter. CCPA is mentioned seven times, compared with 40 mentions of COVID-19 and nothing on the boycott.
“These laws and regulations [in particular, CCPA and GDPR] are evolving and subject to interpretation, and resulting limitations on our advertising services, or reductions of advertising by marketers, have to some extent adversely affected, and will continue to adversely affect, our advertising business,” according to the 10-Q report. “Any of these events could have a material adverse effect on our business, reputation, and financial results.”
There is little debate the law’s most significant impact will be on the digital-advertising ecosystem, cautions Julian Baring, general manager of Americas at Adform.
“CCPA is the latest example of slow march of regulation encroaching on their business models,” Baring told MarketWatch.
The parade of data-privacy laws was largely prompted by Facebook’s Cambridge Analytica scandal, when the London-based political consulting firm acquired and used the personal data of up to 87 million Facebook users without their permission.
“It was a watershed moment for consumers and privacy,” says Pam Dixon, founder of the World Privacy Forum, a nonprofit public interest research group. “We got [the European Union’s GDPR], CCPA, and a sequel to CCPA. The cost to the business side has been profound [financially], and time consuming for individuals to opt in.”
Shaped by real estate millionaire Alastair Mactaggart, CCPA is broadly applied to any company with either annual revenue of $25 million; derives more than half of its revenue through the sale of consumers’ personal information; or handles personal information of more than 50,000 California residents.
If that doesn’t complicate the operations of Facebook and others, its successor on the November ballot, the California Privacy Rights Act of 2020, or CPRA, could make matters harder. It would grant consumers more control over what it calls “sensitive personal information” such as a person’s race, health, Social Security number and recent locations using GPS technology. If passed into law, consumers would have the right to prevent such data from being sold or used for advertising purposes.
More important, CPRA includes the creation of a five-member state agency to enforce privacy protections, instead of the state attorney general under CCPA.
“Under [CPRA], a consumer can limit the use of their sensitive information to stop Uber UBER, +1.05% from profiling them based on race, stop Spotify SPOT, -1.31% from utilizing their precise geolocation and prevent Facebook from using their sexual orientation, health status or religion in its algorithms,” Carmen Balber, executive director of the nonprofit Consumer Watchdog, said in a statement.
“CPRA is coming in another year, and it is another hurdle that is completely cost prohibitive for most companies,” Parker says.
Businesses should expect privacy to be a concern front and center for years to come, data experts warn.
“Facebook and Google are under so much regulatory pressure, they have the resources, the money and lawyers, be on top of things,” says Richy Glassberg, CEO of Safeguard Privacy, which helps hundreds of businesses meet CCPA guidelines. “Everybody else is screwed. It is a continuum to stay ahead of privacy regulation. In a year, Mactaggart’s new law will be more like GDPR. We’ll be talking about this a year from now, if it passes.”
For now, in a new world order of CCPA, most companies are content to comply as much as legally required without revamping their business operations at great cost and possibly weakening product lines, security experts say.
“They’re skirting or toeing the line while still running the same old business model,” says Gusto Chief Security Officer Fredrick “Flee” Lee, who has written extensively about CCPA, most recently for Harvard Business Review.
“There’s an inverse monotonic relationship between privacy and value,” Vasant Dhar, a professor in the NYU Stern School of Business, where he is director of the Center for Data Science, told MarketWatch in an email message. “The more someone knows about you (less privacy), the more value to them. CCPA introduces friction (you now have to DEAL with being ACCOUNTABLE etc compared to the Wild West days, so that’s a cost), and it makes it harder to link data which is where a lot of value lies.”