Ringing in 2020, the State of California had a special present ready for its residents: a brand-new data privacy law. Concerns about data privacy have long-dominated media coverage and the conversation around the increasing number of apps and other data-focused tools which dominate our day-to-day lives. This has taken the form of the California Consumer Privacy Act (CCPA) which allows consumers to opt-out of data collection methods they find objectionable. Below, we will explore what the CCPA is, its shortcomings, how it impacts businesses, and where it squares with existing federal privacy legislation.
What is the California Consumer Privacy Act (CCPA)?
In the wake of massive data leaks and hacks, many consumers have been outraged by the amount of data companies store regarding their habits, browsing, and other actions. A growing data privacy movement couple with the need for action helped compel the California state legislature to pass the California Consumer Privacy Act.
This act allows consumers to see all the data a company has stored in relation to them, from personally identifiable information to anything else. Consumers can also request to know which third parties this data has been shared with. Additionally, consumers now have the ability to ‘opt-out’ of giving companies the ability to share their information and can ask for companies to delete the data with their request being honored except in very limited circumstances.
While consumers cannot sue if a company does not comply and ends up selling personal information, even when requested not to, they do have the ability to sue in the event of a data breach that exposes their personal information to hackers and others.
Are there any shortcomings or challenges when it comes to the CCPA?
The CCPA, while a step in the right direction, may not be as all-encompassing as some consumers would like. Some commonsense practices have still not been implemented, and the interpretation on application and action that must be taken in light of the new rules seem to be nebulous, allowing for some to barely comply.
For starters, there is still no universal opt-out form with the government’s blessing or even a sample one that businesses can use to fashion their on. Thus, tech companies and others are creating a multitude of forms to seek to comply with the law. Additionally, the California Attorney General’s office is still writing regulations that govern the implementation of the law, weakening the law itself and its enforcement until such time as they issue clear guidance.
There is another issue brewing also, which is the tech companies’ shifting of responsibility for “holding” information. Tech companies, such as Facebook, argue that the real holders of information who should be responsible are advertisers who collect data via their social media platform, not the social media company itself. This could lead to a situation where virtually no or literally no action is taken to protect consumer privacy rights while the law, its regulations, and its enforcement mechanisms are sorted out.
Finally, there are also challenges to businesses who may not realize they need to comply with the CCPA or, make mistakenly do so believing they must under the law. For example, a small e-commerce business may believe it applies to them and spend considerable capital attempting to comply while a business that gathers information on 50,000 customers on the dot may believe the law applies at the 50,001st customer. Another significant challenge is that some businesses may need to de facto invent a department that is an expert at digital privacy and complying with the law that goes beyond their traditional information technology (IT) department.
Popular Read: Will vs Living Trust
What businesses have to comply with the CCPA?
Big business has taken steps to either pro-actively comply with what is currently a somewhat unclear law, or shift responsibility to not do so. The law applies to any company that qualifies for one or more of these three bars: makes more than $25 million a year in revenue, has at least 50,000 customers it gathers information on, or makes half its revenue or more from data gathering. If a company does not correct a violation, it can be fined $7,500 per violation.
Is there any federal privacy legislation in the works, and what is the future of privacy legislation in California?
Federal privacy legislation does exist, but it looks unlikely to go anywhere soon. With the current gridlock manifesting itself in Congress and the federal government, any sort of action in either the House of Representatives or the Senate, much less a bill for signature by the president, is unrealistic. For those who are not residents of California but wish for their privacy rights to be protected, they should contact the state legislature of their state.
Although federal privacy legislation is unlikely to get a hearing, much less a vote, in either house of Congress, some California business groups are working to weaken California’s privacy law through federal legislation that would pre-empt California state law. They are similarly working to amend the law as it stands in the state legislature to make it less stringent for qualifying businesses.
Seeing this trend, there is a ballot initiative in California that would be approved directly by voters instead of being vetted through the legislature or by the governor. This stricter law would have limiting effects on the sale of certain personal information, require businesses to collect the minimum amount of personal information needed, and to ensure consumers know how long they will hold that information for. Finally, there would be tougher penalties, especially for incidents involving minors age 16 and under.
Popular Read: Funding a Living Trust
How do I exercise my privacy rights?
Given the reach of the CCPA and the hope it gives consumers for expanded privacy protections, exercising your privacy rights is, in general, a two-step process.
The first step is to not opt-in in the first place. Thus, when an app, website, or other online platform asks if it is okay to collect data for “improved user experience” or other requests, click no. This initial click demonstrates that a business will not and cannot collect information on you. Thus, no file, no record, no anything that is personally identifiable or able to be sold.
On the other hand, if you are like the millions of Californians who either explicitly consented to the gathering and sharing of your personal information by clicking yes or implicitly did so by solely using a product, the process is slightly harder than clicking an opt-out button in most cases. Most companies now have forms that you can fill out for yourself or a minor – such as a teenager who uses a music streaming service – which allows you to opt-out of any information or data sharing of your personal information with advertisers.
These forms are not a catch-all or comprehensive form like the Do Not Call registry, which informs all companies of your desire not to be solicited by telemarketers. Instead, you must fill out a form per company, per person to either instruct a company not to sell your information or to delete your information. For example, for a couple and their teenager, you would need three forms per company to cover all the members of your household. Be forewarned, some companies will delete your account if you ask them to delete your personal information, so be sure to know the consequences of your requests. You can then submit your form to the company using the proscribed method (either mail or online) to ensure that your privacy rights are protected.
Nowadays, there is a multitude of ways companies can obtain and sell your information to the highest bidder. The CCPA is a big step in the right direction and one way the consumers can help stem the tide of this largely unregulated industry by limiting the power of companies to sell the most precious online commodity: data. However, there are many concerns over the long-term impacts that CCPA will have on consumers and businesses.
Additionally, with a small budget and team, the California Attorney General has promised some audits and compliance checks but may not be able to exercise the vigorous oversight that consumers expect and the law’s drafters may have envisioned. Given this, there is a fear that large companies may act in bad faith and bet on evading detection long enough, paying for fines when they come up, since this may be more profitable than complying with the law.