The California Consumer Privacy Act (or CCPA) offers people living in the state of California a degree of control over the data they generate and how internet companies and other entities use it. The transformative nature of the CCPA makes it imperative that consumers understand how to take full advantage of the privacy protections built into the new law.
Internet companies, law enforcement agencies and marketing firms have used data containing consumers’ location, online habits and recent purchases to transform their business and policy decisions for a good part of the last two decades. Companies often collect, buy, sell, share and transfer consumer data with little to no regulation throughout the United States.
The exact method of how your data moves about and exchanges hands is somewhat irrelevant now, since there is literally an ocean of data about you and everyone else with a computer or smartphone device and an internet connection, and it’s hard to follow it or regulate it. And, while in some respects, hyper-targeted advertisements can provide benefit to the end-user, most of the time, internet companies use your data in ways that you haven’t given them permission to exploit, assuming you even know all the ways companies use your data and process it to make various decisions.
Whether or not you know about how your data is used is irrelevant to internet companies as they’re the ones profiting from data collection and data sharing. Is there something that you, the end-user, can do to have some input on how your data gets used? Well, no. But the CCPA aims to change that.
The CCPA came into effect more than a year ago, on Jan. 1, 2020. Since then, California residents have enjoyed more rights over their data than any other state in the U.S. All internet companies, including the likes of Google, Facebook and Amazon, collect data on their users.
The CCPA doesn’t give you blanket control over your data. It does come with its own limits. However, as far as consumer privacy rights are concerned, the CCPA is definitely a step in the right direction. The industry of online user data collection has managed to operate with little to no checks, regulation or oversight for years, and it is about time consumers get to benefit from regulation such as CCPA.
For those who still don’t understand the type of data companies and third parties have on them and the real-world repercussions involved with such control, there are plenty of relevant examples of how companies use data that is personal and sensitive in nature. Companies such as Copley Advertising used geolocation data generated by users’ smartphone devices to send them anti-abortion ads when location data suggested they were near abortion clinics.
In 2018, the genetic testing service provider 23andMe provided access to what it termed “de-identified data” for pharmaceutical giant GlaxoSmithKline, which bought a $300 million stake in the company. While most such data is used to discover one’s ancestral tree, they usually have the right to opt-in or opt-out from such programs.
There’s also the famous case of Cambridge Analytica, which abused developer tools provided by Facebook to collect data belonging to over 87 million user profiles on the platform without informing any of them about the firm’s activities. Later, it was found that Cambridge Analytica used the data to help the Trump campaign bombard people with targeted ads and change their voting behavior.
There are countless examples of how companies have used and abused user data for their own means. The CCPA is a solution for such situations. It may not have the backing of all in the privacy advocacy community, but many agree that it is a good start.
Some, like Santa Clara University law professor Eric Goldman, hold the opinion that the CCPA has its flaws and would impact businesses that have an obligation to comply with it. One report mentioned that companies may have to deal with costs reaching up to $55 billion initially if they comply with CCPA regulation.
Goldman also believes the CCPA may actually end up creating unnecessary challenges for consumers in the long run rather than help them protect their privacy.
What Are the CCPA Requirements?The California Consumer Privacy Act has several important requirements for-profit businesses and other entities must follow to be compliant. For a company, these are the upfront requirements (apart from these, it depends on the type of collection they have done and if there are any complaints against them):
- Companies must disclose information to consumers about their data and what they do with it. They should also let the user know how and where they share their personally identifiable information (or PII) with other businesses.
- Any qualifying company must have a data inventory to accurately track its data processing history.
- Companies must inform the user about any data collection either at the point of collection or before that. They must also seek their permission before processing their data.
- Companies should give users the full right to access any personal information they may have on them.
- They should explain to users how they can go about making requests for their data or the deletion of their data. This is what is known as the right to be forgotten.
- Companies must also make sure users know the rights they have as a result of the CCPA becoming California’s new privacy law.
- If a company is in the business of selling consumers’ personal information, it must have a full page on its website titled “Do Not Sell My Personal Information.”
Generally speaking, the CCPA tries to balance online commerce growth with better privacy protections.
What Does the CCPA Do?
The California Consumer Privacy Act (CCPA) gives any person living in the state of California the right to request a company to show them all the personal information collected on them. Via the CCPA, they can also access the entire list of third parties with which internet companies have shared their data. Finally, it grants consumers to take internet companies and other entities to court if they violate any of the CCPA consumer privacy regulations. The company itself does not have to suffer a data breach for the consumer to sue it.
More specifically, the CCPA provides the following protections to California residents:
- It gives Californians the right to know what personal information a company is collecting about them.
- It gives them the right to know where the company is selling their information or disclosing it and with whom.
- It grants California residents the right to block the sale of their personal information.
- It gives them the right to access all their personal information that a company may hold.
- It protects California residents by giving them the right to equal price and service, regardless of whether they exercised their data privacy privileges.
How Is CCPA Different from GDPR?
If you’re a company wondering whether or not you need to do something drastic to comply with CCPA when you’re already complying with the European Union’s General Data Protection Regulation (or GDPR), there is good news. Generally speaking, if your company is complying with GDPR, it’s highly likely it would comply with CCPA as well.
According to experts, complying with GDPR automatically prepares a company for CCPA compliance. Some multinational companies did make drastic changes to the way they handle and transfer user data for European markets but didn’t do it for their activities based in the U.S. So now, all that they have to do is expand the scope of the changes they made for the existing privacy law, GDPR, and they should be ready for complying with CCPA as well.
There are many other categories of personal information, such as:
- Real name
- IP address
- Email address
- Unique personal identifier
- Account name
- Driver’s license number
- Social Security number
- Passport number
It also covers characteristics of protected classifications under federal or California data privacy law. In addition to that, it protects categories of personal information that are commercial in nature, such as records of personal property, consumption histories, tendencies, purchasing decisions, services or products purchased or considered and/or obtained.
It also protects different electronic network activity/information, which may include internet browsing history, user interactions with an advertisement, search history, geolocation data, olfactory, thermal, visual, electronic and audio information. Any employment and professional information also comes under the CCPA. Further, any education information, which the law defines as information that may not be publicly available but personally identifiable information (PII) as the Family Educational Rights and Privacy Act defines it, also gets protection.
If a company draws an inference from the data identified above and then uses it to create a profile on a user making conclusions about their preferences, characteristics, behavior, attitudes, predispositions, psychological preferences and trends, intelligence, aptitudes and abilities, then that activity also comes under the CCPA.
This is important:When comparing GDPR to CCPA, it’s important to realize that the GDPR, in its current form, tries to focus on forming a legal framework where privacy is enabled by default in the EU. On the other hand, CCPA concentrates on enhancing transparency in the massive data collection industry that exists in California. It also wants to give more rights to the state’s online users.
Moreover, the GDPR helps EU users to block companies from any data processing, while the CCPA gives users the right to find out more information about how companies use their data. Thus, in the case of CCPA, companies already have the data and the relevant categories of third parties have already bought that data. With GDPR, companies can’t get the data if users don’t want to give it up.
The difference between CCPA and GDPR is pretty much the difference between prior consent (opt-in consent) and opt-out. In the case of GDPR, companies must have some sort of legal basis when it comes to processing personal information. The CCPA doesn’t work in that way and instead allows businesses to process user data without prior consent. The CCPA also doesn’t bar companies from selling a consumer’s personal information to third parties.
Both GDPR and CCPA give consumers the right to access their personal data, be informed about how it’s used and export it. Both allow users to delete personal information as well. As mentioned, the GDPR is about granting users the right to prior consent, while CCPA is about giving users the right to opt-out.
The CCPA uses the term “personal information” while the GDPR uses the term “personal data” for consumers’ data. The CCPA considers any information that identifies, describes or relates to, or has the capability to be associated with or reasonably link to a specific consumer or household, either directly or indirectly. On the other hand, the GDP identifies personal data as any information that relates to an identifiable or identified natural person, indirectly or directly, in a specific reference to an identifier.
Note:In simpler terms, CCPA is more personal in how it defines personal data. It includes information that isn’t specific to a person but is household data, whereas GDPR only deals with the individual. The GDPR has a separate category of user data it calls sensitive personal data, which blocks companies from processing any data unless certain requirements are met. GDPR also has six legal grounds dealing with the processing of personal data for users in the EU.
As far as the scope of GDPR and CCPA is concerned, the GDPR grants protection to all individuals who reside in the EU at the time a given company collects and/or processes their data. On the other hand, the CCPA only provides protection to individuals who qualify as California residents.
The CCPA is different from the GDPR in how it defines a company as well. It defines businesses as any entity that collects personal information of users, makes a profit, decides the purpose of a given data or processes it. A company has to have annual revenue of over $25 million, at least 50,000 users or generate more than 50% of its revenue from the sale of user data.
GDPR looks at the problem in terms of data controllers, an entity that does some form of data processing. There are no size, profit, revenue or private/public restrictions, and it doesn’t matter if the company is based in the EU or not.
Who Needs to Comply with CCPA?
Any company that provides services to California residents and also has an annual revenue of over $25 million has to comply with the regulations brought in by the California Consumer Privacy Act (CCPA).
Of course, many companies won’t fulfill that requirement. The law doesn’t just end there, though. In addition to the companies fulfilling the above-mentioned criteria, any company that may have stored personal information belonging to 50,000 or more people also has to comply with the law.
To further expand the scope of the new privacy protection regulation, the CCPA requires any company that sells personal information to the extent that the money generated from the process makes up more than half of its revenue, also has to comply with the rules.
This is important:We should also clarify here that the company itself doesn’t have to operate out of California or even have any physical presence in the state to fulfill the requirements set out by the CCPA. In fact, even if a company is not based in the U.S., it may still come under California’s privacy law.
The law has undergone some alterations since its passing. One amendment that was signed into California law in September 2020 exempted supporting health organizations, health service providers and insurance institutions from its regulation since they already had to comply with the Health Insurance Portability and Accountability Act (or HIPAA), which covers the handling of health insurance information.
What If a Company Does Not Comply with the CCPA?
Any time a company violates the California Consumer Privacy Act (CCPA) protections, regulators give it 30 days to make changes and comply. If the company doesn’t make the necessary changes, regulators can fine the company up to $7,500 for every record. BigID Senior Director of Privacy Strategy Debra Farber told CSO Online that the fine amount can rack up very quickly considering the fact that most data breaches affect thousands if not millions of records. She also added that the exact fine amount is bound to change in the future.
Of course, a huge fine because of negligence or violation of CCPA is not the only thing companies have to worry about now. Readers should keep in mind that the law allows individuals to sue companies for the very first time. That counts as another financial risk. The policy allows California consumers and representative groups to file class-action lawsuits against companies claiming damages.
Whenever a consumer files a report against a company and writes a notice to it, the company has approximately 30 days to address any violation of the consumer’s privacy rights.
According to Farber, if the company doesn’t resolve the complaint and the associated attorney general decides not to prosecute the company, the consumer can file a class-action lawsuit against the company.
As mentioned, a data breach does not have to happen for a California resident to sue the company in question. The CCPA also stipulates that online service providers (any company that provides goods or services online) must show an opt-out footer to users who don’t want to share their data with the website. The footer should be clearly labeled and visible.
Websites that don’t conform to this requirement violate CCPA and can be sued by the consumer. If consumers cannot know how the website has used or collected their data, they can sue the company as well. If the company does not give them access to copies of the consumer’s data, they can sue again.
As alluded to before, the actual fine that the company has to pay for violating CCPA changes from case to case and will likely change in the future. Currently, it says companies will have to suffer specific penalties if any unauthorized access happens due to theft, exfiltration, data breach or accidental disclosure while carrying out business duties.
The CCPA makes it clear that companies have a duty to not only implement reasonable security procedures but also maintain reasonable security procedures and strict practices to make sure consumer data remains safe and secure. And if a company violates that duty, it has to pay the relevant penalties.
Reading through the provisions of the law, it should become markedly clear to any qualifying company that the costs of not protecting consumer data sufficiently can and probably will add up quickly. And it isn’t just about the $750 per consumer per incident that companies may have to pay. There are many secondary data breach costs as well. A company has to come up with a proper information technology response, which costs money. In addition to IT, there are associated costs related to recovery, forensics, legal, notification and PR.
Bottom Line: Personal Data Categories/Definitions Don’t Matter as Much as Enforcement
Enforcement problems are bound to arise when it comes to the California Consumer Privacy Act, and new legislation will be needed to beef up the current version of CCPA. The best scenario for California’s new privacy law or amendments would have an independent agency focus on the privacy portion of the law and would also have the power to audit companies and check for compliance.
Such an agency would also block moves to water down the CCPA in the future, which is a very real possibility given the amount of resources the industry has already spent on lobbying.